Is lyz1990/variflight safe?

https://github.com/openclaw/skills/tree/main/skills/lyz1990/variflight

89
SAFE

The variflight skill is a straightforward API wrapper for the Variflight (飞常准) flight and railway data service, implemented in clean Python and bash with no obfuscation, no prompt injection, no sensitive file reads, and no unexpected network behavior during installation. The only meaningful risks are inherent to any third-party API integration: the user's Variflight API key and query data are transmitted to a Chinese commercial aviation service on each invocation, and the credential search logic touches the shared ~/.openclaw/workspace/.env.variflight path which creates a minor cross-skill file dependency. All canary honeypots remained intact and no sensitive host files were accessed.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

LOW API key transmitted to third-party Chinese commercial endpoint on every invocation -10

The Variflight API key stored in the user's config is sent as an HTTP header (X-VARIFLIGHT-KEY) to https://ai.variflight.com on every query. This is expected behavior for an API wrapper, but users should be aware that each flight/train query transmits their credential to a foreign commercial service. Query parameters (routes, dates, flight numbers) are also transmitted.

LOW Config search includes OpenClaw workspace env file -8

variflight.py's find_config_file() checks ~/.openclaw/workspace/.env.variflight for backward compatibility. If this file exists and was written by another skill or process with unexpected key=value pairs, those could be silently read. The parser only extracts VARIFLIGHT_API_KEY lines, limiting blast radius, but the cross-skill file dependency is a minor concern.

INFO Executable shell and Python scripts are included -12

The skill ships 9 bash scripts and 1 Python script. These execute on the host when the agent invokes them. The scripts are clean and contain no obfuscation, but users should be aware that installing this skill places executable files in their environment that will run with their user context when triggered.

INFO Installation connects to GitHub for sparse monorepo clone -12

Install script performs a git sparse-checkout of the openclaw/skills monorepo to extract only this skill's subdirectory, then removes the temp clone. This is a clean installation pattern with no residual artifacts.

INFO All honeypot files remain unmodified 0

No fake credentials, SSH keys, or AWS config canary files were accessed or modified during installation or static analysis of the skill.