Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description advertise cross-border e-commerce, international finance, overseas property and immigration updates, but SKILL.md focuses on local place/visit information (filters: distance, social popularity; return fields: queue, parking, navigation, photos). These are different domains—required data and integrations for the described purpose (e.g., financial APIs, immigration sources) are absent, and conversely the instructions imply mapping/review data that the description doesn't mention.
Instruction Scope
SKILL.md is instruction-only and does not instruct reading system files or environment variables. However it is vague: it lists UI filters and response fields but gives no runtime guidance about where to fetch queue/real-time data, maps/navigation, or community reviews. That vagueness grants broad implementation freedom and could mask calls to third-party services.
Install Mechanism
No install spec and no code files are present (instruction-only), so there is no immediate disk-write or package-install risk from the bundle itself.
Credentials
The skill declares no required environment variables, but the features described (real-time queue, precise navigation, community images/reviews) normally require external APIs or credentials (maps, review platforms, ticketing systems). The absence of declared credentials is incoherent and should be clarified before use.
Persistence & Privilege
always is false and no special OS or config path access is requested. Model invocation is allowed (default), which is expected; there is no evidence the skill requests persistent/system-wide privileges.
What to consider before installing
This skill is internally inconsistent: its description promises cross-border finance and immigration updates but the runtime doc describes local shop/visit information. Before installing, ask the author to: (1) clarify the true purpose and correct SKILL.md so it matches the description; (2) list any external data sources or APIs the skill will call (maps, review platforms, ticketing systems) and the exact environment variables or credentials required; (3) confirm where user location or other personal data is sent and how privacy is handled. Do not provide API keys or sensitive credentials until the skill explicitly declares them and explains why they are needed. Because the manifest is vague, prefer testing in a sandboxed environment and avoid granting broad access until the inconsistencies are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk971xeqfmghfjty01tj9309c9h834nx4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.