ClawHub

FlyAI — Travel, Flight & Hotel Search and Booking

v1.0.14

Search flights, hotels, attractions, concerts, and travel deals with natural language. FlyAI connects to Fliggy MCP for real-time search and booking across h...

15· 1.7k·8 current·8 all-time
by@yealexchen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (travel search & booking) align with the provided runtime instructions and reference docs. Requiring the node binary is consistent with the CLI usage (npm-installed flyai CLI). The optional FLYAI_API_KEY is reasonable for improved results.
Instruction Scope
SKILL.md instructs the agent/user to run the flyai CLI (search and booking commands) and to use date for current-date context. The instructions do not direct reading unrelated files or exfiltrating data; they focus on calling the CLI and using the documented command parameters.
Install Mechanism
The skill is instruction-only (no install spec), but SKILL.md tells users to run 'npm i -g @fly-ai/flyai-cli' to install an external CLI. Installing global npm packages is a separate action outside the skill bundle and carries the usual supply-chain risk — users should vet the package and publisher.
Credentials
The manifest requests no environment variables or credentials. SKILL.md documents an optional FLYAI_API_KEY for enhanced results; this is proportionate and clearly marked optional.
Persistence & Privilege
Skill is not always-enabled, does not request elevated platform privileges, and does not modify other skills. Agent autonomous invocation is the platform default and not a special privilege here.
Scan Findings in Context
[regex-scan-none] expected: No code files present; the regex-based scanner had nothing to analyze. The security surface is primarily the SKILL.md instructions.
Assessment
This skill appears coherent for travel search and booking. Before installing or running anything the CLI suggests: 1) Vet the npm package (@fly-ai/flyai-cli) — check the npm publisher, Github repo, release history, and community feedback; 2) Prefer inspecting the package contents (or run in an isolated environment/container) before doing a global install; 3) Only provide an API key if you trust the service and understand its scope; avoid reusing high-value credentials (AWS, Google, etc.) that the skill doesn't request; 4) Remember the CLI will make network calls — treat outputs/URLs carefully and verify any payment or booking flows directly on trusted vendor pages. If you need deeper assurance, ask the publisher for source code or a reproducible install/build and verify network endpoints used by the CLI.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dm5d1mfy8a941tn6rknqevn8407e0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binsnode

Comments