flyai-packing-list Security Report — Low Risk | ClawSafe

15 /100

flyai-packing-list

场景化智能行李清单生成器。根据目的地、出行日期、出行目的和同行人，结合 FlyAI 实时搜索目的地信息，生成个性化分类行李清单

Purely documentation-based skill with no executable code. Minor security concern around NODE_TLS_REJECT_UNAUTHORIZED=0 usage, but this is documented and necessary for FlyAI CLI functionality in certain network environments.

Skill Nameflyai-packing-list

Duration33.9s

Enginepi

✓

Safe to install

Accept for use. Consider documenting the TLS bypass rationale and ensuring FlyAI CLI is from a trusted source.

Findings 2 items

Severity	Finding	Location
Low	User profile file access Sensitive Access Skill reads/writes user travel preferences to ~/.flyai/user-profile.md. This is expected behavior for a travel assistant and does not constitute credential theft since it stores user-declared preferences only. `~/.flyai/user-profile.md` → No action needed - this is intended functionality	`reference/user-profile-storage.md:45`
Low	TLS verification bypass documented Supply Chain The skill sets NODE_TLS_REJECT_UNAUTHORIZED=0 to bypass SSL certificate verification when calling FlyAI CLI. This is documented behavior and appears necessary for the tool to function in certain network environments (e.g., corporate proxies, development environments with self-signed certs). `NODE_TLS_REJECT_UNAUTHORIZED=0 flyai keyword-search` → Document the specific reason for TLS bypass and consider using proper certificate configuration if possible	`SKILL.md:82`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md: Reads ~/.flyai/user-profile.md for user preferences
Network	`READ`	`READ`	✓ Aligned	SKILL.md: Calls FlyAI CLI for search operations
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: Executes npm install and flyai commands via shell
Environment	`READ`	`READ`	✓ Aligned	SKILL.md: Sets NODE_TLS_REJECT_UNAUTHORIZED=0 environment variable

4 findings

🔗

Medium External URL 外部 URL

https://nodejs.org/

SKILL.md:57

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com

SKILL.md:59

🔗

Medium External URL 外部 URL

https://img.alicdn.com/...

reference/search-hotel.md:44

🔗

Medium External URL 外部 URL

https://img.alicdn.com/tfscom/...

reference/search-poi.md:32

File Tree

11 files · 25.8 KB · 888 lines

Markdown 11f · 888L

├─ ▾ 📁 reference

│ ├─ 📝 ai-search.md Markdown 26L · 659 B

│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB

│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB

│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB

│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB

│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B

│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB

│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB

│ ├─ 📝 tools.md Markdown 34L · 782 B

│ └─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB

└─ 📝 SKILL.md Markdown 226L · 6.5 KB

Security Positives

✓ Pure documentation skill with no executable code (100% Markdown files)

✓ All declared capabilities align with inferred capabilities

✓ No credential harvesting or data exfiltration detected

✓ No obfuscation techniques present

✓ No access to sensitive system paths (~/.ssh, ~/.aws, .env)

✓ No base64-encoded payloads or eval() calls

✓ No reverse shell or C2 communication patterns

✓ User profile storage is appropriate for a travel assistant skill

Scan Report

Findings 2 items

File Tree

Security Positives