flyai-instant-departure Security Report — Low Risk | ClawSafe

20 /100

flyai-instant-departure

极限出发助手——X小时内能到哪？不是"想去哪搜机票"，而是"就现在出发，最快能到哪"。

Pure Markdown documentation package with no executable code - all capabilities (shell commands, file access, network requests) are clearly documented in SKILL.md and reference files.

Skill Nameflyai-instant-departure

Duration36.0s

Enginepi

✓

Safe to install

Approve for use. The documented NODE_TLS_REJECT_UNAUTHORIZED=0 bypass is a minor concern but is explicitly declared. No hidden functionality detected.

Findings 2 items

Severity	Finding	Location
Low	Documented SSL certificate bypass Doc Mismatch workflow.md documents NODE_TLS_REJECT_UNAUTHORIZED=0 to bypass SSL verification for FlyAI CLI commands. This is a security concern but is explicitly declared. `NODE_TLS_REJECT_UNAUTHORIZED=0 flyai <command>` → Consider using proper certificate management instead of disabling SSL verification, or document the security implications clearly.	`reference/workflow.md:48`
Low	Accesses user home directory Sensitive Access References ~/.flyai/user-profile.md for storing user preferences. This is declared and reasonable for a travel planning skill. `~/.flyai/user-profile.md` → No action required - access pattern is declared and necessary for the feature.	`reference/user-profile-storage.md:52`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md:16 - reads ~/.flyai/user-profile.md
Network	`READ`	`READ`	✓ Aligned	SKILL.md:5-6 - uses search-flight, search-hotel, search-poi APIs
Shell	`WRITE`	`WRITE`	✓ Aligned	workflow.md:10 - npm install -g @fly-ai/flyai-cli
Environment	`READ`	`READ`	✓ Aligned	workflow.md:48 - NODE_TLS_REJECT_UNAUTHORIZED=0
Skill Invoke	`READ`	`READ`	✓ Aligned	SKILL.md:15 - search_memory, update_memory, ask_user_question

5 findings

🔗

Medium External URL 外部 URL

https://img.alicdn.com/...

reference/search-hotel.md:44

🔗

Medium External URL 外部 URL

https://img.alicdn.com/tfscom/...

reference/search-poi.md:32

🔗

Medium External URL 外部 URL

https://nodejs.org/

reference/workflow.md:19

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com

reference/workflow.md:21

🔗

Medium External URL 外部 URL

https://www.fliggy.com/xxx

reference/workflow.md:182

File Tree

12 files · 30.0 KB · 961 lines

Markdown 12f · 961L

├─ ▾ 📁 reference

│ ├─ 📝 ai-search.md Markdown 26L · 659 B

│ ├─ 📝 examples.md Markdown 51L · 1.6 KB

│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB

│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB

│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB

│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB

│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B

│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB

│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB

│ ├─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB

│ └─ 📝 workflow.md Markdown 188L · 5.9 KB

└─ 📝 SKILL.md Markdown 94L · 3.9 KB

Security Positives

✓ No executable code - purely Markdown documentation

✓ All capabilities clearly documented in SKILL.md

✓ No obfuscation or base64-encoded payloads

✓ No credential harvesting or data exfiltration

✓ No reverse shell or C2 communication patterns

✓ User profile storage is optional and declared

✓ External URLs are documented reference links only

Scan Report

Findings 2 items

File Tree

Security Positives