Skills
skills/ai4mse/flyclaw/flyclaw-flight-search-zero-login/Gen Agent Trust Hub

flyclaw-flight-search-zero-login

Fail

Audited by Gen Agent Trust Hub on Mar 28, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The file sources/fliggy_mcp.py contains hardcoded authentication secrets, including DEFAULT_API_KEY (which uses the sensitive sk- prefix) and DEFAULT_SIGN_SECRET. Hardcoding credentials in source code is an unsafe practice.
  • [EXTERNAL_DOWNLOADS]: The AirportManager.update_from_url method in airport_manager.py and the update-airports command in flyclaw.py allow the skill to fetch data from arbitrary remote URLs.
  • [COMMAND_EXECUTION]: The skill is designed to be executed via a CLI interface (flyclaw.py), allowing the agent to perform network requests and manage local caches based on instructions provided in SKILL.md.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 28, 2026, 12:07 PM