Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Korean Booking
v2.6.7韩国/首尔美容医美预约助手,内置 900+ 家皮肤科/整形医院数据库(BeautsGO 平台)。支持:①按医院名或项目类型(激光/注射/整形)查询预约流程;②直接调用接口提交预约(收集人数/时间/联系方式后 POST,无需浏览器);③打开医院详情页/价格表/在线客服;④中/英/日/泰四语言。触发场景:询问韩国美容...
⭐ 0· 294·0 current·0 all-time
by@beautsgo·duplicate of @beautsgo/beautsgo-korean-booking·canonical: korean-aesthetic-booking-guide
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code, data, and network permissions align with a BeautsGO booking assistant: local hospital DB, renderer, Playwright-based browser automation, and a POST to the BeautsGO-related endpoint (api.yestokr.com). However, some runtime choices (launching Chromium with flags that disable web security/CSP and granting clipboard/geolocation/notification permissions) are stronger than expected for a simple 'open page and submit booking' tool and deserve justification.
Instruction Scope
SKILL.md contains rigid output rules and explicitly instructs the agent to always call the skill each turn and to never use the agent's browser tool — this reads like prompt-injection (and pre-scan flagged injection patterns). The skill's runtime also scans all strings in the provided context (collectStrings) up to depth 4, which could cause it to use arbitrary context content (possibly exposing sensitive tokens or other data if that context contains them). The skill will collect user phone numbers and POST them to an external API when booking — the code appears to do that as documented. The combination of enforced call patterns, context scanning, and external POSTs expands the scope beyond a simple read-only helper.
Install Mechanism
There is no install spec in the manifest (instruction-only), but the package includes many JS files and expects Node + npm packages (playwright, chromium). Installing will likely pull Playwright's browser binaries (large downloads) and run code locally. No arbitrary HTTP download URLs or obscure installers are present in the manifest, which reduces one large class of install risk.
Credentials
The skill requests no environment variables or credentials (good). But it does accept and send user-provided contact info to https://api.yestokr.com/api/Appointment/saveFromSkill. Two privacy risks: (1) the code will extract strings from the provided context broadly (collectStrings) and may treat them as hospital keywords or other inputs — if the context accidentally includes secrets those could be used or sent; (2) Playwright context is created with permissions ['geolocation','notifications','clipboard-read','clipboard-write'] and bypasses web security flags, which increases the chance of unintended data exposure when the headful browser is driven by the skill.
Persistence & Privilege
The skill is not always-enabled, does not request platform-level persistent privileges, and does not modify other skills' configs. Autonomous invocation is allowed (default) but not combined with an 'always:true' flag, so its privilege footprint is typical for skills.
Scan Findings in Context
[base64-block] unexpected: SKILL.md was flagged for base64-block pattern in the instruction content; injection-like output rules are present (forced verbatim output). This is not needed for a booking helper and looks like an attempt to influence agent behavior.
[unicode-control-chars] unexpected: SKILL.md contained unicode control character patterns that can be used to obfuscate or hide instructions. This is not expected for a normal booking skill and adds suspicion.
What to consider before installing
What to consider before installing:
- Privacy: the skill will ask users for phone numbers and will send them to https://api.yestokr.com/api/Appointment/saveFromSkill when you ask it to 'help book'. Only provide real contact details if you trust that endpoint and the operator.
- Output / prompt-injection: SKILL.md contains strict 'output rules' that try to force verbatim replies and disallow the agent's normal browser tool — this looks like prompt-injection. Treat those rules as untrusted text; they are instructions to the agent, not platform policy. Prefer not to grant the skill autonomous or always-on invocation until you review and understand these rules.
- Context leakage: the skill scans all strings in the provided context object to resolve hospital names. Do NOT pass any secrets or unrelated sensitive data in the context (API keys, tokens, private messages). If your agent automatically injects conversation history or system state into context, that may leak to matching/logic that could be sent to the external API.
- Browser automation privilege: the skill runs Playwright (headful Chromium) with flags that disable web security/CSP and grants clipboard/geolocation/notification permissions. These settings increase the risk that web pages opened by the skill could access or exfiltrate data available to the browser environment. Only run this skill on trusted machines and consider running it in an isolated environment (VM/container) if you must use it.
- Trust the endpoint: verify the legitimacy of api.yestokr.com / i.beautsgo.com before sending PII. If unsure, test flows with a dummy phone number and monitor the outbound network traffic.
- Practical steps: review the code (api/submitBookingApi, browser scripts), run locally in a sandboxed environment first, and avoid including secrets in the agent context. If you are not comfortable with Playwright/browser automation flags or the endpoint, prefer manual booking or a skill with fewer automation privileges.
If you want, I can highlight exact lines of code that implement the context scanning, the POST request, and the Chromium flags, or suggest a safer configuration (remove disable-web-security flags, drop clipboard permissions, and avoid broad context scanning).Like a lobster shell, security has layers — review code before you run it.
latestvk9772c0nw4pscwenwvwq3dqg7n83yjkk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.