Search flights, hotels, attractions, concerts, and travel deals with natural language. FlyAI connects to Fliggy MCP for real-time search and booking across h...
Security Analysis
medium confidenceThe skill's declared purpose (travel search/booking) matches what its instructions ask for (a node-based CLI), but you should be cautious about installing the recommended npm CLI and about supplying any API keys.
The name/description describe a Node CLI that talks to travel services. The SKILL.md requires the node binary and instructs installing an npm CLI (@fly-ai/flyai-cli), which is coherent with the stated purpose.
Runtime instructions are limited to installing and using the flyai CLI and running search commands (and a date command for context). The docs do not instruct reading arbitrary filesystem locations or unrelated env vars, nor do they direct data to unexpected endpoints within the provided docs.
There is no formal install spec in the registry metadata, but SKILL.md instructs `npm i -g @fly-ai/flyai-cli`. Installing a global npm package is common for CLIs but carries moderate risk because it executes code from the npm registry; the skill provides no checksum, publisher identity, or release host verification in the docs.
The skill declares no required env vars and only documents an optional FLYAI_API_KEY for improved results. The optional key is proportional to the feature (enhanced API access). There are no unrelated credentials requested in the docs.
The skill is not marked always:true and does not request system-wide privileges in the metadata or SKILL.md. The only persistence implied is installing the npm CLI into the system (standard for CLIs), which is expected behavior for this capability.
Guidance
This skill appears internally consistent: it wants node and to install a flyai CLI from npm, which matches its travel-search purpose. Before installing or providing any API key, verify the npm package and publisher (check the package page, recent versions, and review the code if possible). Prefer installing the CLI in an isolated environment (container or VM) if you want to limit risk. Do not reuse high-privilege or unrelated credentials (AWS keys, GitHub tokens, etc.) when configuring FLYAI_API_KEY; use a dedicated key with minimum scope. If you need higher assurance, ask the publisher for a signed release or inspect the package contents before global installation.
Latest Release
v1.0.15
- Bumped version to 1.0.15. - Updated display requirements: now mandates that, if `systemMessage` exists in the data, a "platform hint" (the value of `systemMessage`) must be shown at the end of the output. - Added instruction to always display the platform hint at the end of responses.
More by @yealexchen
Published by @yealexchen on ClawHub
