visa-itinerary-gen Security Report — Trusted | ClawSafe

5 /100

visa-itinerary-gen

Generate consulate-grade visa itinerary documents from natural language input using flyai real-time travel data

A legitimate visa itinerary generator that uses flyai CLI for travel data and Playwright for PDF rendering. All operations are documented and necessary for the stated purpose.

Skill Namevisa-itinerary-gen

Duration34.5s

Enginepi

✓

Safe to install

Approve for use. All shell commands and dependencies are declared, documented, and user-interactive.

Findings 2 items

Severity	Finding	Location
Low	Browser resource used without declaration Priv Escalation The render_pdf.py script uses Playwright to launch a Chromium browser for PDF rendering, which requires browser:WRITE access. This is not explicitly declared in SKILL.md metadata. `browser = p.chromium.launch()` → Add Playwright to the install requirements in SKILL.md metadata	`scripts/render_pdf.py:107`
Low	Playwright installed without version pinning Supply Chain The skill instructs users to install Playwright without specifying a version, which could lead to dependency version conflicts. `pip3 install playwright && python3 -m playwright install chromium` → Consider pinning Playwright version for reproducibility	`SKILL.md:79`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md lines 60-100: flyai CLI commands for flights, hotels, attractions
Filesystem	`READ+WRITE`	`READ+WRITE`	✓ Aligned	SKILL.md line 149: writes travel_plan.md; scripts/render_pdf.py: writes temp HTM…
Network	`READ`	`READ`	✓ Aligned	SKILL.md: accesses Fliggy API via flyai CLI for travel data
Browser	`NONE`	`WRITE`	✓ Aligned	scripts/render_pdf.py line 107: uses playwright.sync_api for PDF rendering
Clipboard	`NONE`	`WRITE`	✓ Aligned	templates/booking_links_*.html: copyLink() uses navigator.clipboard.writeText()

28 findings

🔗

Medium External URL 外部 URL

https://zephryve.github.io/visa-itinerary-gen/

README.md:5

🔗

Medium External URL 外部 URL

https://nodejs.org/

SKILL.md:76

🔗

Medium External URL 外部 URL

https://python.org/

SKILL.md:78

🔗

Medium External URL 外部 URL

https://a.feizhu.com/08rXE4

templates/booking_links_cn.html:246

🔗

Medium External URL 外部 URL

https://a.feizhu.com/1TWb2F

templates/booking_links_cn.html:268

🔗

Medium External URL 外部 URL

https://a.feizhu.com/3OwpqL

templates/booking_links_cn.html:292

🔗

Medium External URL 外部 URL

https://a.feizhu.com/0HQwRo

templates/booking_links_cn.html:304

🔗

Medium External URL 外部 URL

https://a.feizhu.com/0YauhQ

templates/booking_links_cn.html:316

🔗

Medium External URL 外部 URL

https://a.feizhu.com/1I6zBw

templates/booking_links_cn.html:328

🔗

Medium External URL 外部 URL

https://a.feizhu.com/1iNGoU

templates/booking_links_cn.html:351

🔗

Medium External URL 外部 URL

https://a.feizhu.com/08k6yf

templates/booking_links_cn.html:365

🔗

Medium External URL 外部 URL

https://a.feizhu.com/1IlyBx

templates/booking_links_cn.html:367

🔗

Medium External URL 外部 URL

https://a.feizhu.com/2X7N5t

templates/booking_links_cn.html:369

🔗

Medium External URL 外部 URL

https://a.feizhu.com/1Ru3ow

templates/booking_links_cn.html:371

🔗

Medium External URL 外部 URL

https://a.feizhu.com/4gE9zW

templates/booking_links_cn.html:373

🔗

Medium External URL 外部 URL

https://a.feizhu.com/0yb2rn

templates/booking_links_cn.html:375

🔗

Medium External URL 外部 URL

https://a.feizhu.com/102qFq

templates/booking_links_cn.html:377

🔗

Medium External URL 外部 URL

https://a.feizhu.com/48UFDp

templates/booking_links_cn.html:379

🔗

Medium External URL 外部 URL

https://a.feizhu.com/16uuwx

templates/booking_links_cn.html:381

🔗

Medium External URL 外部 URL

https://a.feizhu.com/0UJBIJ

templates/booking_links_cn.html:383

🔗

Medium External URL 外部 URL

https://a.feizhu.com/0n4XX1

templates/booking_links_cn.html:385

🔗

Medium External URL 外部 URL

https://a.feizhu.com/0AO6d5

templates/booking_links_cn.html:387

🔗

Medium External URL 外部 URL

https://a.feizhu.com/0qXo5z

templates/booking_links_cn.html:389

🔗

Medium External URL 外部 URL

https://a.feizhu.com/1q1EjB

templates/booking_links_cn.html:391

🔗

Medium External URL 外部 URL

https://a.feizhu.com/1BekgP

templates/booking_links_cn.html:393

🔗

Medium External URL 外部 URL

https://a.feizhu.com/1HFqXK

templates/booking_links_cn.html:395

🔗

Medium External URL 外部 URL

https://a.feizhu.com/07T71O

templates/booking_links_cn.html:397

📧

Info Email 邮箱地址

[email protected]

README.md:130

File Tree

5 files · 73.1 KB · 1469 lines

HTML 2f · 823L Markdown 2f · 446L Python 1f · 200L

├─ ▾ 📁 scripts

│ └─ 🐍 render_pdf.py Python 200L · 5.5 KB

├─ ▾ 📁 templates

│ ├─ 📄 booking_links_cn.html HTML 409L · 22.3 KB

│ └─ 📄 booking_links_en.html HTML 414L · 22.1 KB

├─ 📝 README.md Markdown 130L · 4.8 KB

└─ 📝 SKILL.md Markdown 316L · 18.4 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`@fly-ai/flyai-cli`	`latest`	npm	No	Third-party travel search CLI, installed globally via npm
`playwright`	`unpinned`	pip	No	Version not pinned in install instructions

Security Positives

✓ No credential theft - skill does not access ~/.ssh, ~/.aws, .env, or any credential paths

✓ No data exfiltration - no external POST requests with user data

✓ No obfuscation - no base64, eval(), or anti-analysis techniques

✓ No hidden functionality - all shell commands and operations are documented in SKILL.md

✓ No remote script execution - no curl|bash or wget|sh patterns

✓ User-interactive dependency installation - always asks permission before installing

✓ Clean HTML templates - no malicious JavaScript beyond standard clipboard copy

✓ Temporary files are properly cleaned up after PDF generation

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives