ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

spontaneous trip planner

v1.0.0

使用飞猪旅行工具生成个性化旅行计划。当用户提到旅行、游玩、景点、规划行程时自动触发。触发后必须先与用户确认:1) 出发地 2) 旅行场景 3) 出行人数 4) 旅行三要素选两个(价格实惠/时间充裕/景点品质),确认后结合当前季节,使用 flyai 工具生成定制化方案

0· 54·0 current·0 all-time
by@chenshinan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and SKILL.md are consistent: the skill uses a travel tool (flyai) to build personalized itineraries. However, the SKILL.md explicitly requires the 'flyai' CLI/tool and the AskUserQuestion popup tool at runtime, yet the skill metadata declares no required binaries, env vars, or credentials. This is an omission/inconsistency (missing declared dependency) rather than an immediate red flag.
Instruction Scope
Instructions are narrowly scoped to collecting user input via AskUserQuestion, determining the current date/season, querying flyai for POIs/flights/hotels, and composing recommendations. The SKILL.md does not instruct reading arbitrary local files, scanning environment variables, or exfiltrating system data. It will, however, transmit user-provided travel inputs (city, preferences, number of people) to the external flyai tool as part of normal operation.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — minimal on-disk footprint. No external downloads or install scripts are present.
!
Credentials
The SKILL.md relies on flyai for searches and jumpUrls but the skill declares no required environment variables or credentials. If flyai requires API keys, tokens, or local binaries, those requirements are not declared here. That omission could lead to runtime failures or unexpected credential prompts; it also obscures where user selections are sent and what credentials (if any) would be used or needed.
Persistence & Privilege
always is false and the skill has no install steps that modify agent/system configuration. It does auto-trigger on travel-related user messages (as advertised), which is normal for a user-invocable tool, not an elevated privilege.
What to consider before installing
Before installing, confirm these points with the publisher: (1) Does this skill require the 'flyai' CLI/tool and is that tool available in your environment? If so, what exact binary name/version is required? (2) Does flyai require API keys, tokens, or other credentials — if yes, which env vars or config files will hold them and where are they documented? (3) Where do flyai 'jumpUrl' links point (domains)? Understand that the skill will send the user's city, trip preferences, and possibly destination queries to an external service (flyai) — verify that you trust that service and its handling of PII. Also consider whether you want the skill to auto-trigger when travel is mentioned; test it first with non-sensitive inputs. If the publisher can't clarify required tools/credentials, treat the omission as a risk and avoid enabling the skill until clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk970c6gejzxztydpzy03s76wys8433hs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments