flyai-vacation-planner Security Report — Trusted | ClawSafe

5 /100

flyai-vacation-planner

智能拼假日历助手，帮助用户计算最优请假方案并查询机票价格

Pure documentation-only skill with no executable code; all capabilities (CLI tool install, filesystem read for user profiles, network via FlyAI CLI) are fully declared in SKILL.md and reference docs.

Skill Nameflyai-vacation-planner

Duration34.7s

Enginepi

✓

Safe to install

No action needed. This skill is safe to use as-is.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md:64; reference/user-profile-storage.md:43
Network	`READ`	`READ`	✓ Aligned	SKILL.md:43-44; flyai CLI commands in reference/*.md
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:43 npm install -g @fly-ai/flyai-cli@latest

3 findings

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com

SKILL.md:40

🔗

Medium External URL 外部 URL

https://img.alicdn.com/...

reference/search-hotel.md:44

🔗

Medium External URL 外部 URL

https://img.alicdn.com/tfscom/...

reference/search-poi.md:32

File Tree

13 files · 27.5 KB · 883 lines

Markdown 13f · 883L

├─ ▾ 📁 reference

│ ├─ 📝 ai-search.md Markdown 26L · 659 B

│ ├─ 📝 examples.md Markdown 23L · 834 B

│ ├─ 📝 holidays-cn.md Markdown 31L · 936 B

│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB

│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB

│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB

│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB

│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B

│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB

│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB

│ ├─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB

│ └─ 📝 visa-rules.md Markdown 23L · 824 B

└─ 📝 SKILL.md Markdown 178L · 6.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@fly-ai/flyai-cli`	`latest`	npm (registry.npmjs.org)	No	Version pinned to @latest; package source declared in SKILL.md

Security Positives

✓ Documentation-only: zero executable code (scripts, binaries, or bytecode) present

✓ All external capabilities (npm install, FlyAI CLI network calls, filesystem user profile) fully declared in SKILL.md

✓ No obfuscation (no base64, no eval, no encoded payloads)

✓ No credential harvesting or sensitive path access (~/.ssh, ~/.aws, .env not touched)

✓ No C2 communication, reverse shells, or data exfiltration behavior

✓ No supply chain risk: npm package pinned to @latest tag from official registry; no unpinned dependencies

✓ User profile data stays local in ~/.flyai/ — no exfiltration of personal information

Scan Report

File Tree

Dependencies 1 items

Security Positives