flyai-multi-airport-radar 安全扫描报告 — 低风险 | ClawSafe

10 /100

flyai-multi-airport-radar

同城不同价·多机场比价雷达 — multi-airport flight price comparison radar for Fliggy (飞猪) travel platform

Entirely documentation-based skill with no executable scripts; declared shell usage via npm-installed CLI is legitimate travel tool behavior, but TLS verification bypass is a minor concern.

技能名称flyai-multi-airport-radar

分析耗时35.2s

引擎pi

✓

可以安装

Approve with caveats: verify the @fly-ai/flyai-cli npm package integrity before use, and consider removing NODE_TLS_REJECT_UNAUTHORIZED=0 in production environments.

安全发现 2 项

严重性	安全发现	位置
低危	NODE_TLS_REJECT_UNAUTHORIZED=0 disables TLS certificate verification 敏感访问 workflow.md instructs the AI to set NODE_TLS_REJECT_UNAUTHORIZED=0 before calling flyai CLI, which disables SSL/TLS certificate validation for all outbound HTTPS connections. This exposes the user to man-in-the-middle attacks and is generally considered insecure practice in production environments. `NODE_TLS_REJECT_UNAUTHORIZED=0 flyai search-flight` → Remove NODE_TLS_REJECT_UNAUTHORIZED=0 unless communicating exclusively with known-internal APIs. If TLS inspection/proxy is the reason, document it clearly and restrict to specific hosts.	`reference/workflow.md:46`
低危	SKILL.md frontmatter does not declare shell:WRITE permission 文档欺骗 The SKILL.md frontmatter (name, description) does not include any 'allowedTools' declaration. The skill's actual behavior involves shell execution via Bash (npm install, flyai CLI), but this is only discoverable by reading reference/workflow.md. `name: flyai-multi-airport-radar description: 同城不同价·多机场比价雷达...` → Add allowedTools to SKILL.md frontmatter: Bash (shell:WRITE) should be declared since the skill runs npm install and CLI commands.	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	workflow.md: npm install + flyai CLI invocations
文件系统	`READ`	`READ`	✓ 一致	user-profile-storage.md: read ~/.flyai/user-profile.md
网络访问	`READ`	`READ`	✓ 一致	tools.md: flyai CLI calls Fliggy API
环境变量	`NONE`	`READ`	✓ 一致	workflow.md: NODE_TLS_REJECT_UNAUTHORIZED=0 env var set inline
技能调用	`NONE`	`READ`	✓ 一致	advanced.md: cross-skill invocation references
剪贴板	`NONE`	`NONE`	—	N/A
浏览器	`NONE`	`NONE`	—	N/A
数据库	`NONE`	`NONE`	—	N/A

9 项发现

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/xxxxx

SKILL.md:76

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/hotel/xxxxx

SKILL.md:77

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/poi/xxxxx

SKILL.md:78

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/yyyyy

reference/examples.md:55

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/zzzzz

reference/examples.md:61

🔗

中危外部 URL 外部 URL

https://img.alicdn.com/...

reference/search-hotel.md:44

🔗

中危外部 URL 外部 URL

https://img.alicdn.com/tfscom/...

reference/search-poi.md:32

🔗

中危外部 URL 外部 URL

https://nodejs.org/

reference/workflow.md:19

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com

reference/workflow.md:21

目录结构

16 文件 · 38.8 KB · 1179 行

Markdown 16f · 1179L

├─ ▾ 📁 reference

│ ├─ 📝 advanced.md Markdown 21L · 682 B

│ ├─ 📝 ai-search.md Markdown 26L · 659 B

│ ├─ 📝 error-handling.md Markdown 11L · 401 B

│ ├─ 📝 examples.md Markdown 82L · 3.4 KB

│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB

│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB

│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB

│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB

│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B

│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB

│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB

│ ├─ 📝 self-learning.md Markdown 19L · 450 B

│ ├─ 📝 tools.md Markdown 34L · 782 B

│ ├─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB

│ └─ 📝 workflow.md Markdown 264L · 10.4 KB

└─ 📝 SKILL.md Markdown 120L · 4.2 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`@fly-ai/flyai-cli`	`latest`	npm	否	Version not pinned, latest tag used; package should be verified before deployment
`@anthropic-ai/flyai-cli`	`latest`	npm	否	Referenced in tools.md but not used in workflow; version not pinned

安全亮点

✓ Entirely markdown-based skill — no executable scripts, no code to audit for backdoors

✓ All functionality comprehensively documented across 15 reference files

✓ No credential harvesting, key exfiltration, or credential enumeration observed

✓ No base64, eval(), or obfuscated code present anywhere

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, credentials stores)

✓ No reverse shell, C2 communication, or data exfiltration channels detected

✓ No supply-chain risk — uses npm with @latest tag (could be pinned but not malicious)

✓ Filesystem access is minimal and scoped to ~/.flyai/user-profile.md

✓ Memory system uses declared search_memory/update_memory tools, no secret data collection