worst-travel-challenge 安全扫描报告 — 可信 | ClawSafe

5 /100

worst-travel-challenge

AI travel challenge skill that intentionally plans the worst-rated flights, hotels, and attractions using FlyAI real-time data, with snarky commentary and travel content generation.

This skill is a pure Markdown documentation package for a creative travel-planning AI agent. No executable code, scripts, binaries, or sensitive operations exist — only markdown documentation describing FlyAI CLI command usage.

技能名称worst-travel-challenge

分析耗时29.7s

引擎pi

✓

可以安装

No action required. The skill is a benign creative travel planning tool with no security concerns.

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in any file
命令执行	`NONE`	`NONE`	—	Only describes CLI command names in documentation; no subprocess/exec calls
网络访问	`NONE`	`NONE`	—	FlyAI CLI tool handles network calls externally; skill itself makes no network r…
环境变量	`NONE`	`NONE`	—	No environment variable access in any file
技能调用	`NONE`	`NONE`	—	No cross-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database operations

7 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/version-1.1.0-blue.svg

README.md:9

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/FlyAI-Required-orange.svg

README.md:10

🔗

中危外部 URL 外部 URL

https://flyai.open.fliggy.com

README.md:10

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/license-MIT-green.svg

README.md:11

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/ClawHub-Verified-purple.svg

README.md:12

🔗

中危外部 URL 外部 URL

https://www.clawhub.com

README.md:12

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/xxxxx

references/README.md:72

目录结构

3 文件 · 38.4 KB · 1048 行

Markdown 3f · 1048L

├─ ▾ 📁 references

│ └─ 📝 README.md Markdown 110L · 3.4 KB

├─ 📝 README.md Markdown 760L · 27.7 KB

└─ 📝 SKILL.md Markdown 178L · 7.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@fly-ai/flyai-cli`	`not specified`	npm	否	External npm CLI tool; no credentials required; skill declares version-less install as acceptable

安全亮点

✓ Pure markdown documentation package — zero executable code

✓ No sensitive file access (no ~/.ssh, ~/.aws, .env, etc.)

✓ No credential harvesting or environment variable reading

✓ No network exfiltration or C2 communication

✓ No obfuscation techniques (no base64, no eval, no encoded payloads)

✓ No supply chain risks — declared dependency is a public npm tool with no credentials required

✓ Declared FlyAI CLI commands are travel-search utilities, not dangerous operations

✓ Explicitly states no API key or credential requirement

✓ Includes appropriate safety constraints (user confirmation, budget adherence, illegal-activity prohibition)

✓ No reverse shell, C2, or persistence mechanisms