ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trip Guide PDF Lodging

v1.0.0

Research, plan, revise, and deliver lodging-anchored travel guides as HTML/PDF with verified route data, hotel selection, fallback hotel swaps, curated scree...

0· 24·0 current·0 all-time
byoldShade@allensu0314
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and instructions consistently describe producing HTML/PDF lodging‑anchored travel guides; required capabilities (research, recompute routes, screenshots, QA) match the stated purpose.
Instruction Scope
Instructions stay within the stated domain (research, route verification, lodging-driven itinerary, QA, screenshot handling). However the doc tells the agent to use a source named `cn-review-sites-cdp` when Chinese review sites are weak — this external data source is referenced but not explained or declared, which could cause unexpected network calls or require undisclosed credentials. The guidance to send local files via OpenClaw messaging (MEDIA:./...) is platform-specific and implies the skill will upload local artifacts; users should verify what gets transmitted and stored.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk (nothing written to disk by an installer).
Credentials
The skill declares no required environment variables or credentials (proportionate). But the `cn-review-sites-cdp` reference suggests potential reliance on an external/internal data pipeline which may need credentials or access not declared in the manifest — request clarification from the author.
Persistence & Privilege
always:false (default) and no modifications to other skills or system config. The skill asks the agent to send files via platform messaging, which is normal behavior but means uploaded files and screenshots could be shared — not a privilege escalation but worth reviewing platform upload policies.
What to consider before installing
This skill appears to do what it says, but two things need clarification before you install or run it: (1) it mentions an external data source (`cn-review-sites-cdp`) without declaring credentials or explaining where that data comes from — ask the publisher whether this triggers network calls or requires special API keys or internal access; (2) the skill explicitly instructs the agent to send local files/screenshots via OpenClaw messaging (relative MEDIA paths) — confirm what files will be uploaded, where they are stored, and whether screenshots may include PII (hotel confirmations, addresses, reservation numbers). If you rely on private data, request an explicit list of endpoints the agent will contact and whether any credentials will be required or stored. If the author cannot clarify the `cn-review-sites-cdp` dependency or file upload behavior, treat the skill as higher risk and avoid giving it access to sensitive files or credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ft4y915j1svymrr9fy12s35845v2x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments