Skillv3.2.0

ClawScan security

Zoo Aquarium · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 7:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and claims are internally inconsistent and it requires installing an unverified global npm CLI and writing execution logs — these mismatches and implicit install steps warrant caution.
Guidance: Proceed with caution. Key concerns: (1) The skill claims to be ‘powered by Fliggy’ but instructs use of a different CLI (@fly-ai/flyai-cli) — ask the publisher for the authoritative source and repository URL. (2) The SKILL.md requires installing a global npm package without a supplied homepage or repo; do NOT install a global package you cannot inspect. If you test, do so in an isolated environment (container/VM) and audit the package source before installing. (3) The skill may write an execution log containing raw user queries to .flyai-execution-log.json — this can capture sensitive input. Confirm whether logs are retained, where they are stored, and how they are protected. (4) Ask the author to provide: the CLI repository URL, package integrity info (checksum or signed release), explicit documentation for all claimed features (flights/hotels/visa), and a privacy statement for logs. If these are not provided, avoid installing the skill or run it only in a sandboxed environment.

Review Dimensions

Purpose & Capability: concernThe skill description claims it's “powered by Fliggy (Alibaba Group)” and advertises broad travel features (flights, hotels, visas), but the runtime instructions exclusively call a third-party CLI named @fly-ai/flyai-cli and only document attraction/POI searches. The advertised provider (Fliggy) does not match the CLI referenced (flyai), and the claimed capabilities (booking flights/hotels/visas) are not supported or documented in the playbooks — this is an unexplained mismatch.
Instruction Scope: noteSKILL.md forces the agent to obtain all data exclusively via the flyai CLI and forbids using training data. It also includes internal runbook instructions that may write an execution log (.flyai-execution-log.json) containing raw user queries and commands. The instructions therefore expand the agent's runtime behavior (global npm install, CLI execution, potential file writes) beyond a simple read-only query skill.
Install Mechanism: concernThere is no install spec in the registry metadata, but the SKILL.md mandates installing a global npm package (npm i -g @fly-ai/flyai-cli) if the CLI is missing. Installing a global npm package from an unverified source is moderate-to-high risk because the package code cannot be inspected via the registry metadata. The skill gives no repository URL, official vendor domain, or cryptographic verification for that package.
Credentials: noteThe skill does not request credentials or environment variables (proportionate), which is good. However, its runbook suggests logging full request data (raw user_query) to disk if writable. Persisting queries may capture PII or sensitive user input — a privacy risk not disclosed in the manifest. No explicit network exfiltration patterns are present in SKILL.md, but the external CLI will perform network calls whose behavior is unknown.
Persistence & Privilege: noteThe skill does not request elevated platform privileges and is not always-enabled. It does, however, instruct the agent to persist execution logs to a local file when possible which gives it a modest persistence footprint in the working directory. It does not request or modify other skills' configurations.