flyai-flight-calendar Security Report — Trusted | ClawSafe

5 /100

flyai-flight-calendar

机票低价日历助手，帮助时间弹性的用户找到最便宜的出发日期

Pure documentation skill providing a flight price calendar assistant; all operations are documented and legitimate travel search functionality.

Skill Nameflyai-flight-calendar

Duration45.4s

Enginepi

✓

Safe to install

No action required. This is a documentation-only skill with no malicious behavior.

Findings 2 items

Severity	Finding	Location
Low	Unpinned npm package version Supply Chain The skill instructs users to install @fly-ai/flyai-cli@latest without a fixed version, which could result in unexpected behavior if the package changes. `npm install -g @fly-ai/flyai-cli@latest` → Consider pinning to a specific version (e.g., @fly-ai/[email protected]) to ensure consistent behavior.	`SKILL.md:65`
Low	Undeclared network access Doc Mismatch The CLI tool makes network requests to fetch flight data, but network access is not explicitly declared in the skill's permission model. `flyai search-flight --origin ... --destination ...` → Consider documenting network:READ in the capability declaration if the skill should declare all resource usage.	`SKILL.md:88`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md: Reads ~/.flyai/user-profile.md
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: npm install and flyai CLI commands
Skill Invoke	`READ`	`READ`	✓ Aligned	SKILL.md: search_memory, update_memory, ask_user_question
Network	`NONE`	`READ`	✓ Aligned	CLI commands make network requests via @fly-ai/flyai-cli

6 findings

🔗

Medium External URL 外部 URL

https://nodejs.org/

reference/core-workflow.md:19

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com

reference/core-workflow.md:21

🔗

Medium External URL 外部 URL

https://a.feizhu.com/xxxxx

reference/core-workflow.md:109

🔗

Medium External URL 外部 URL

https://a.feizhu.com/yyyyy

reference/examples.md:43

🔗

Medium External URL 外部 URL

https://img.alicdn.com/...

reference/search-hotel.md:44

🔗

Medium External URL 外部 URL

https://img.alicdn.com/tfscom/...

reference/search-poi.md:32

File Tree

13 files · 31.9 KB · 995 lines

Markdown 13f · 995L

├─ ▾ 📁 reference

│ ├─ 📝 advanced.md Markdown 19L · 519 B

│ ├─ 📝 ai-search.md Markdown 26L · 659 B

│ ├─ 📝 core-workflow.md Markdown 156L · 5.7 KB

│ ├─ 📝 examples.md Markdown 59L · 2.4 KB

│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB

│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB

│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB

│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB

│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B

│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB

│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB

│ └─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB

└─ 📝 SKILL.md Markdown 133L · 4.7 KB

Security Positives

✓ Pure documentation skill with no executable code - no risk of hidden malicious behavior

✓ All operations are clearly documented in SKILL.md

✓ User profile data stays local, no exfiltration observed

✓ No credential harvesting or sensitive system file access

✓ No obfuscation, base64 encoding, or anti-analysis techniques

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ No prompt injection or jailbreak instructions

✓ Uses legitimate FlyAI/Fliggy API for travel data

Scan Report

Findings 2 items

File Tree

Security Positives