flyai-flight-calendar 安全扫描报告 — 可信 | ClawSafe

5 /100

flyai-flight-calendar

机票低价日历助手，帮助时间弹性的用户找到最便宜的出发日期

Pure documentation skill providing a flight price calendar assistant; all operations are documented and legitimate travel search functionality.

技能名称flyai-flight-calendar

分析耗时45.4s

引擎pi

✓

可以安装

No action required. This is a documentation-only skill with no malicious behavior.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned npm package version 供应链 The skill instructs users to install @fly-ai/flyai-cli@latest without a fixed version, which could result in unexpected behavior if the package changes. `npm install -g @fly-ai/flyai-cli@latest` → Consider pinning to a specific version (e.g., @fly-ai/[email protected]) to ensure consistent behavior.	`SKILL.md:65`
低危	Undeclared network access 文档欺骗 The CLI tool makes network requests to fetch flight data, but network access is not explicitly declared in the skill's permission model. `flyai search-flight --origin ... --destination ...` → Consider documenting network:READ in the capability declaration if the skill should declare all resource usage.	`SKILL.md:88`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md: Reads ~/.flyai/user-profile.md
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: npm install and flyai CLI commands
技能调用	`READ`	`READ`	✓ 一致	SKILL.md: search_memory, update_memory, ask_user_question
网络访问	`NONE`	`READ`	✓ 一致	CLI commands make network requests via @fly-ai/flyai-cli

6 项发现

🔗

中危外部 URL 外部 URL

https://nodejs.org/

reference/core-workflow.md:19

🔗

中危外部 URL 外部 URL

https://registry.npmmirror.com

reference/core-workflow.md:21

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/xxxxx

reference/core-workflow.md:109

🔗

中危外部 URL 外部 URL

https://a.feizhu.com/yyyyy

reference/examples.md:43

🔗

中危外部 URL 外部 URL

https://img.alicdn.com/...

reference/search-hotel.md:44

🔗

中危外部 URL 外部 URL

https://img.alicdn.com/tfscom/...

reference/search-poi.md:32

目录结构

13 文件 · 31.9 KB · 995 行

Markdown 13f · 995L

├─ ▾ 📁 reference

│ ├─ 📝 advanced.md Markdown 19L · 519 B

│ ├─ 📝 ai-search.md Markdown 26L · 659 B

│ ├─ 📝 core-workflow.md Markdown 156L · 5.7 KB

│ ├─ 📝 examples.md Markdown 59L · 2.4 KB

│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB

│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB

│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB

│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB

│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B

│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB

│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB

│ └─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB

└─ 📝 SKILL.md Markdown 133L · 4.7 KB

安全亮点

✓ Pure documentation skill with no executable code - no risk of hidden malicious behavior

✓ All operations are clearly documented in SKILL.md

✓ User profile data stays local, no exfiltration observed

✓ No credential harvesting or sensitive system file access

✓ No obfuscation, base64 encoding, or anti-analysis techniques

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ No prompt injection or jailbreak instructions

✓ Uses legitimate FlyAI/Fliggy API for travel data