Skillv1.0.0

ClawScan security

酒店竞对调研openclaw助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 4:37 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill claims automated nearby-hotel search but the shipped code is a manual/offline fallback and the documentation references an API key and an upgrade script that are not present — this mismatch is misleading and worth caution.
Guidance: This package is the "fallback" offline version: it generates reports from manually entered data or Excel and explicitly does NOT implement the advertised automatic nearby-hotel search. The documentation mentions a Gaode (高德) API Key and an upgrade script that are absent from the bundle. Before using or providing any API keys, verify the upgrade/setup scripts and any network-calling code that would be introduced. If you expect automatic searching, request the full implementation or examine the missing setup_wizard.sh and any code that would call external APIs. Running the included script is low-risk for secrets (it operates locally), but treat any future upgrade that requires an API key as potentially risky until you inspect what it will install and where it sends data. Consider running in a sandbox/isolated environment and review network activity if you proceed.

Review Dimensions

Purpose & Capability: concernThe skill description and README advertise "自动搜索周边酒店" (automatic nearby-hotel search) and list Gaode (高德) API Key as required, but the included script (BasicHotelAnalysis) is an offline/fallback implementation that requires manual input or Excel import. The --auto-fetch flag is a stub that simply prints a message and does not perform network queries. An upgrade script referenced (./scripts/setup_wizard.sh) is mentioned in the report but is not included. This is a functional mismatch between claimed capability and actual code.
Instruction Scope: concernSKILL.md instructs running python3 scripts/hotel_analysis.py and states an Amap API Key is needed, but there is no mechanism shown for supplying that key (no env var, no config path). The runtime instructions are limited and do not direct the agent to read unrelated system files or exfiltrate data, but they are misleading about automatic fetching and an absent setup_wizard.sh. The script's auto-fetch path explicitly skips network activity, so current runtime behavior is non-networking despite the docs implying otherwise.
Install Mechanism: okNo install spec is provided (instruction-only skill with code file). That lowers install-time risk; nothing is downloaded or written by an installer. requirements.txt lists typical Python libs but no automatic install is enforced by the skill bundle itself.
Credentials: noteThe skill bundle does not declare or require any environment variables or credentials, yet SKILL.md mentions a Gaode (高德) API Key as needed for the advanced/standard features. Because the included code does not consume such a key, there is a documentation vs. implementation mismatch. If later versions or the missing upgrade script request an API key, providing it without inspecting the upgrade code would be risky.
Persistence & Privilege: okThe skill does not request persistent/always-on privileges (always:false), does not modify other skill configurations, and contains no install mechanism that would alter system-wide settings. Autonomous model invocation is allowed (platform default) but not combined with other concerning allowances.