flyai-companion-matcher Security Report — Low Risk | ClawSafe

20 /100

flyai-companion-matcher

旅伴匹配度报告——出发前先测你们合不合适！帮助旅伴在出发前做旅行风格匹配度测试，提前发现分歧点，并给出基于真实酒店/景点数据的兼顾方案。

This is a legitimate travel companion matching skill with minor security concerns around SSL bypass instruction and unversioned npm dependency, but no malicious behavior detected.

Skill Nameflyai-companion-matcher

Duration49.6s

Enginepi

✓

Safe to install

Consider pinning FlyAI CLI to a specific version instead of @latest, and document the security implications of NODE_TLS_REJECT_UNAUTHORIZED=0 before using it.

Findings 2 items

Severity	Finding	Location
Medium	SSL certificate verification bypass documented Doc Mismatch The workflow documentation instructs users to disable SSL verification with NODE_TLS_REJECT_UNAUTHORIZED=0 when encountering certificate errors. This could expose users to man-in-the-middle attacks if not properly understood. `NODE_TLS_REJECT_UNAUTHORIZED=0 flyai <command>` → Add security warning explaining the risk, or document alternative solutions before resorting to SSL bypass.	`reference/workflow.md:107`
Low	Unversioned npm dependency Supply Chain FlyAI CLI is installed using @latest tag, which could pull different versions over time and introduce unexpected changes. `npm install -g @fly-ai/flyai-cli@latest` → Pin to a specific version (e.g., @fly-ai/[email protected]) for reproducible deployments.	`reference/workflow.md:18`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md declares user profile storage; workflow.md:49-50 reads ~/.flyai/
Network	`READ`	`READ`	✓ Aligned	SKILL.md declares FlyAI search commands; calls flyai CLI API
Shell	`NONE`	`NONE`	—	No shell execution in skill; flyai is a CLI tool, not arbitrary command executio…

3 findings

🔗

Medium External URL 外部 URL

https://img.alicdn.com/...

reference/search-hotel.md:44

🔗

Medium External URL 外部 URL

https://img.alicdn.com/tfscom/...

reference/search-poi.md:32

🔗

Medium External URL 外部 URL

https://nodejs.org/

reference/workflow.md:22

File Tree

14 files · 34.3 KB · 1108 lines

Markdown 14f · 1108L

├─ ▾ 📁 reference

│ ├─ 📝 ai-search.md Markdown 26L · 659 B

│ ├─ 📝 examples.md Markdown 27L · 857 B

│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB

│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB

│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB

│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB

│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B

│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB

│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB

│ ├─ 📝 self-growth.md Markdown 21L · 623 B

│ ├─ 📝 strategies.md Markdown 33L · 1.1 KB

│ ├─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB

│ └─ 📝 workflow.md Markdown 286L · 8.6 KB

└─ 📝 SKILL.md Markdown 113L · 4.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@fly-ai/flyai-cli`	`latest`	npm	No	Version not pinned, uses @latest tag

Security Positives

✓ No credential harvesting detected - skill does not access API keys, tokens, or passwords

✓ No obfuscation or encoded commands found

✓ No network requests to suspicious external IPs

✓ No hidden functionality or undocumented behavior

✓ Documentation is comprehensive and matches implementation

✓ User profile data is local and user-controlled

✓ flyai CLI is a legitimate travel data API tool

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives