ClawHub
Back to skill
v1.0.0

travel-visa

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:24 AM.

Analysis

This is a coherent travel-visa advice skill, but it relies on an external FlyAI CLI/service and may send travel details to FlyAI/Fliggy when used.

GuidanceBefore installing, verify the official FlyAI CLI package, be aware that travel details may be sent to FlyAI/Fliggy, and only configure an API key if you trust the provider and understand its scope.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
安装 CLI:`npm i -g @fly-ai/flyai-cli`

The instruction-only skill depends on a globally installed external CLI that is not represented in the registry install specification. The setup is explicit and user-directed, but users should verify the package source before installing.

User impactInstalling a global CLI gives that package local execution capability on the user's machine.
RecommendationInstall only from the official FlyAI source, review the npm package identity, and avoid installing it globally if a safer scoped installation is available.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityInfoConfidenceHighStatusNote
SKILL.md
flyai config set FLYAI_API_KEY "your-key"

The skill documents an optional provider API key for enhanced service access. This is expected for the FlyAI integration and no artifact shows logging, hardcoding, or unrelated use of the key.

User impactIf configured, the FlyAI CLI may use the user's API key for provider requests.
RecommendationUse a dedicated key with the minimum needed scope, and revoke or rotate it if the CLI or environment is no longer trusted.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
最小输入:`departure country/region`、`destination country/region`、`passport nationality`、`planned departure date` ... 访问 FlyAI/Fliggy 数据端点

The workflow collects travel details and uses FlyAI/Fliggy network endpoints. This is aligned with visa/travel search, but the artifacts do not describe provider-side privacy, retention, or data boundary handling.

User impactTravel itinerary and passport-nationality details may be sent to external services during searches.
RecommendationAvoid entering unnecessary personal details, and check FlyAI/Fliggy privacy terms before using the skill for sensitive travel plans.