Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Holiday Travel Ranker
v0.1.0假期旅行目的地推荐排名工具。当用户想了解长假/小长假去哪里旅行最值、想对比国内外旅行目的地性价比、想获取假期出行推荐排名时使用。触发词:假期去哪玩、旅行推荐、出行目的地、性价比旅行、假期旅游排名、holiday travel、去哪里旅游、五一去哪、国庆去哪、春节出游。
⭐ 0· 36·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and the instructions align: the skill is designed to collect public travel data, score destinations, and produce reports. The use of web_search/web_fetch and scoring dimensions is proportionate to the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run scripts (scripts/generate_report.py and scripts/generate_html.py) and to read references (references/scoring_criteria.md and references/destinations.md), but the package contains only SKILL.md and a usage doc — the referenced files/scripts are missing. The instructions also direct broad web_search/web_fetch activity (parallel subagents collecting multiple dimensions across ~40 destinations), which will trigger many external queries and create files on disk; this behavior is expected for the skill but the missing local resources make the runtime behavior ambiguous and error-prone.
Install Mechanism
No install spec and no third-party binaries or downloads are declared. That minimizes installation risk; however the skill assumes a Python 3.8+ environment for scripts (which are not present).
Credentials
The skill requests no environment variables, credentials, or config paths. The data it collects is public web data; no secrets are required by the declared spec.
Persistence & Privilege
always is false and there is no request to modify agent/system-wide settings or other skills. The skill will create local report files if the referenced scripts are provided, which is expected and scoped to the skill.
What to consider before installing
This skill appears to be what it claims (a travel-destination ranker) and will perform extensive web searches and produce Markdown/HTML reports. However, SKILL.md references local files (references/*.md and scripts/*.py) that are not included in the package you provided — that is an incoherence you should resolve before trusting it. Before installing or running: (1) ask the publisher for the missing reference files and the two scripts and review their source code to ensure they do only expected report generation (no hidden network endpoints or credential exfiltration); (2) if you allow the agent to run this, be aware it will make many web requests (potentially to many third-party sites) and will write report files to disk — run it in a sandbox or limited environment first; (3) confirm you are comfortable with the agent's web_search/web_fetch permissions and file-write behavior; (4) if the skill later requests credentials or adds an install step, treat that as a higher-risk change and re-evaluate. If you can't obtain and review the missing referenced files, consider this skill incomplete and avoid running it.Like a lobster shell, security has layers — review code before you run it.
latestvk974pabxt6xebwwvrf4wvc9ek5840e29
License
MIT-0
Free to use, modify, and redistribute. No attribution required.