Is lancenas/variflight-aviation safe?
https://github.com/openclaw/skills/tree/main/skills/lancenas/variflight-aviation
The variflight-aviation skill appears to be a legitimate flight information tool that wraps the Variflight MCP server, but carries meaningful supply-chain risk: every command invocation spawns a loosely-pinned external npm package (@variflight-ai/variflight-mcp@^0.0.2) via npx, and one code path (MCPServerManager) passes the full host process.env to that subprocess. No malicious behavior was detected during install, canary files were not compromised, and the production StdioClientTransport path correctly restricts the environment to only the API key. However, the combination of an unaudited runtime npm dependency, inconsistent env-scoping between code paths, and hardcoded macOS developer paths suggests poor security hygiene and a non-negligible supply-chain attack surface.
Category Scores
Findings (8)
HIGH Loosely-pinned external npm package spawned at runtime -25 ▶
Every command invocation calls npx -y @variflight-ai/variflight-mcp with a semver range (^0.0.2). npx with -y will execute whatever matching version is currently published to npm without user confirmation. A supply-chain compromise of the @variflight-ai namespace would deliver arbitrary code to all users on the next invocation, with access to the host environment.
MEDIUM MCPServerManager spreads full process.env to spawned subprocess -20 ▶
The MCPServerManager class initializes its env by spreading the entire host process.env, then passes it to the spawned MCP server process. This means all environment variables present in the agent's runtime — including AWS_SECRET_ACCESS_KEY, GOOGLE_APPLICATION_CREDENTIALS, ANTHROPIC_API_KEY, and any other secrets — are forwarded to the external @variflight-ai/variflight-mcp npm process.
MEDIUM Hardcoded macOS-specific developer binary path -10 ▶
Both mcp-server-manager.js and variflight-client.js hardcode an absolute path to a developer's personal nvm installation. This path is non-functional on any system that isn't the original author's Mac, and reveals personal development environment details. It also means the skill silently fails or falls back to PATH lookup in unpredictable ways.
LOW Config loader reads all variflight-prefixed and unprefixed env vars -8 ▶
config-loader.js reads VARIFLIGHT_TIMEOUT and VARIFLIGHT_LOG_LEVEL from process.env, and will accept X_VARIFLIGHT_KEY or VARIFLIGHT_API_KEY. While this is declared behavior (env-read permission), the loader does not validate or restrict which vars it ingests, and the loaded config object is passed to the MCP transport.
LOW env-read permission scope broader than minimum necessary -8 ▶
The skill declares env-read permission in SKILL.md. The production code path in variflight-client.js does pass a restricted environment to the MCP subprocess (only X_VARIFLIGHT_KEY and PATH), which is good practice. However the MCPServerManager alternative code path passes all env vars. The declared permission is correct but the implementation is inconsistent.
INFO Install-time network activity limited to expected GitHub clone 0 ▶
Only observed outbound connection during install was to 140.82.121.3:443 (github.com) for the sparse monorepo clone. No connections to variflight.com, npm registry, or any unexpected endpoints were observed during install.
INFO No npm install lifecycle hooks present 0 ▶
package.json contains only test, lint, and start scripts. No preinstall, postinstall, prepare, or other lifecycle hooks that would execute code at install time were found.
INFO All honeypot credential files unmodified 0 ▶
Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud credentials) were accessed only by the Oathe monitoring framework at baseline and teardown. No modifications detected. No evidence of content exfiltration via these files.