flyai-transit-tour Security Report — Suspicious | ClawSafe

45 /100

flyai-transit-tour

中转不浪费攻略助手 - 帮用户把中转等待变成免费旅行，找到中转能玩的航班方案

Skill declares no permissions but workflow.md requires shell:WRITE for npm install, filesystem access to ~/.flyai/, and contains TLS bypass with undeclared external dependencies.

Skill Nameflyai-transit-tour

Duration44.6s

Enginepi

⚠

Use with caution

SKILL.md must be updated to declare shell:WRITE (npm install -g), filesystem:WRITE (~/.flyai/), and filesystem:READ (~/.flyai/) permissions. Pin FlyAI CLI to a specific version instead of @latest.

Findings 5 items

Severity	Finding	Location
High	Undeclared shell execution in workflow Doc Mismatch SKILL.md declares no permissions, but reference/workflow.md requires executing 'npm install -g @fly-ai/flyai-cli@latest' which is shell:WRITE level. `npm install -g @fly-ai/flyai-cli@latest --registry=https://registry.npmjs.org` → Add shell:WRITE to declared permissions in SKILL.md frontmatter or remove inline CLI installation.	`reference/workflow.md:11`
High	Undeclared filesystem access for user profile storage Doc Mismatch user-profile-storage.md reads/writes to ~/.flyai/user-profile.md without declaring filesystem:READ or filesystem:WRITE permissions. `read_file(file_path="~/.flyai/user-profile.md")` → Declare filesystem:READ and filesystem:WRITE permissions in SKILL.md for ~/.flyai/ path access.	`reference/user-profile-storage.md:55`
Medium	Unpinned dependency version Supply Chain npm install uses @fly-ai/flyai-cli@latest which fetches the latest version without pinning, risking supply chain attacks. `@fly-ai/flyai-cli@latest` → Pin to a specific version (e.g., @fly-ai/[email protected]) to ensure reproducible and secure builds.	`reference/workflow.md:11`
Medium	TLS verification bypass Sensitive Access Workflow instructs to set NODE_TLS_REJECT_UNAUTHORIZED=0 to bypass SSL certificate verification, exposing connections to MITM attacks. `NODE_TLS_REJECT_UNAUTHORIZED=0 flyai <command>` → Investigate root cause of SSL errors and fix CA certificates rather than disabling verification.	`reference/workflow.md:17`
Low	Reference files contain executable patterns Doc Mismatch Reference markdown files contain bash commands that would need to be executed as shell commands if used as scripts. `flyai --help` → Clearly document whether reference files are documentation or executable scripts.	`reference/workflow.md:36`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	reference/workflow.md:11 - npm install -g @fly-ai/flyai-cli
Filesystem	`NONE`	`WRITE`	✗ Violation	reference/user-profile-storage.md - mkdir -p ~/.flyai, write ~/.flyai/user-profi…
Filesystem	`NONE`	`READ`	✗ Violation	reference/user-profile-storage.md - read ~/.flyai/user-profile.md
Network	`NONE`	`READ`	✗ Violation	reference/workflow.md:11 - downloads CLI from registry.npmjs.org

4 findings

🔗

Medium External URL 外部 URL

https://img.alicdn.com/...

reference/search-hotel.md:44

🔗

Medium External URL 外部 URL

https://img.alicdn.com/tfscom/...

reference/search-poi.md:32

🔗

Medium External URL 外部 URL

https://nodejs.org/

reference/workflow.md:19

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com

reference/workflow.md:21

File Tree

13 files · 33.4 KB · 1035 lines

Markdown 13f · 1035L

├─ ▾ 📁 reference

│ ├─ 📝 ai-search.md Markdown 26L · 659 B

│ ├─ 📝 airport-guide.md Markdown 11L · 476 B

│ ├─ 📝 examples.md Markdown 26L · 710 B

│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB

│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB

│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB

│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB

│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B

│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB

│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB

│ ├─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB

│ └─ 📝 workflow.md Markdown 279L · 9.7 KB

└─ 📝 SKILL.md Markdown 91L · 3.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@fly-ai/flyai-cli`	`latest (unpinned)`	npm registry.npmjs.org	No	No version pinning - could fetch malicious updates

Security Positives

✓ No executable scripts (Python, JS, shell) present - only Markdown documentation

✓ No credential harvesting or environment variable iteration observed

✓ No base64-encoded payloads or obfuscation techniques detected

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env access)

✓ No reverse shell, C2 communication, or data exfiltration patterns

✓ No supply chain typosquatting detected (package name is descriptive)

Scan Report

Findings 5 items

File Tree

Dependencies 1 items

Security Positives