Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Budget Hotel Finder
v1.0.1Find clean, comfortable hotels under your budget. Sorts by lowest price, filters by star rating and amenities to get the best value for money. Also supports:...
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose is hotel search, and the runtime instructions consistently use the flyai CLI for hotel queries — that part is coherent. However the top-level description and README claim many extra capabilities (flights, visas, insurance, car rental) that are not reflected in the SKILL.md commands or playbooks. Also SKILL.md metadata lists version 2.0.0 while registry metadata is 1.0.1 and source/homepage are missing; these discrepancies reduce confidence in provenance.
Instruction Scope
The SKILL.md mandates installing and running a global npm package (@fly-ai/flyai-cli) and insists every answer must come from flyai CLI output. The runbook includes a step that writes an execution log to .flyai-execution-log.json if filesystem writes are available (echo ... >> .flyai-execution-log.json). Writing user queries and results to disk is scope creep relative to a pure read-only query wrapper and could expose sensitive content if done without clear disclosure. The skill enforces re-execution until a booking link is present, which could cause repeated CLI/network actions.
Install Mechanism
There is no bundled code, but the instructions require running 'npm i -g @fly-ai/flyai-cli' if the CLI is missing. Installing a global npm package is a normal way to provide a CLI, but it is a moderate-risk action because it executes third‑party code on the host. No direct download URLs or archive extraction are present; the install comes from the public npm registry (traceable) rather than an arbitrary URL.
Credentials
The skill declares no required environment variables, no credential fields, and no config paths. The actions described (running flyai CLI) do not request secrets in the SKILL.md. This is proportionate to the stated hotel-search purpose.
Persistence & Privilege
The skill is not 'always: true' and requires explicit invocation, but the runbook's log persistence step writes an execution log to a local file (.flyai-execution-log.json) when filesystem writes are available. That creates on-disk persistence of user queries/results and may be unexpected. The skill does not request elevated system privileges, but local logging should be considered a privacy risk.
What to consider before installing
This skill is an instruction-only wrapper that relies on the third‑party @fly-ai/flyai-cli npm package to get live data. Before installing or using it: 1) Verify the trustworthiness of the @fly-ai/flyai-cli package (review its npm page and source repo) because the skill will prompt a global npm install. 2) Be aware the skill may write an execution log file (.flyai-execution-log.json) containing queries/results to the current working directory — review or disable that behavior if you handle sensitive queries. 3) Expect repeated CLI/network calls if the skill re-executes to satisfy its 'must include booking link' rule. 4) Note the README/description mention many travel services beyond hotels, but the SKILL.md only implements hotel search — treat extra capability claims cautiously. If you need higher assurance, ask the publisher for the package source and confirm the CLI behavior locally before granting the agent permission to install or run it.Like a lobster shell, security has layers — review code before you run it.
latestvk977yxzy8g3fxyshj0mgmyfnsd843qaa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.