Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Find Hotel Near Attraction
v2.0.0Find hotels closest to a specific attraction, landmark, or scenic spot. Searches by POI name, sorts by distance, and shows walking time. Also supports: fligh...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name/description (find hotels near an attraction) matches the runtime instructions: it always runs flyai search-poi then flyai search-hotels and formats results. Use of Fliggy/Fliggy-related searches (fliggy-fast-search) is consistent with the declared scope.
Instruction Scope
SKILL.md confines the agent to running specific CLI commands, collecting POI + city, and formatting CLI output. It does not instruct reading unrelated files or environment variables, nor sending data to unexpected endpoints beyond flyai CLI calls. The self-test and mandatory re-execution rules could cause repeated CLI calls, but that is within the skill's stated goal.
Install Mechanism
No install spec in registry, but the instructions require installing @fly-ai/flyai-cli globally via npm (npm i -g). This is a standard public-registry install (moderate risk). The skill suggests escalating to sudo if install fails, which requires user caution (global npm installs and sudo should be reviewed before running).
Credentials
The skill declares no environment variables or credentials, which is consistent with an instruction-only wrapper around a CLI. However, the flyai CLI itself may require authentication/configuration (not declared here). The skill does not request unrelated secrets, but it implicitly depends on an external CLI that could need credentials stored elsewhere.
Persistence & Privilege
The skill is not always-enabled, does not request persistent privileges, and contains no instructions to modify other skills or system-wide agent settings. It records an internal runbook/log schema for observability, but that is described as internal; there is no instruction to persist or exfiltrate agent config.
Assessment
This skill is instruction-only and delegates all work to the @fly-ai/flyai-cli npm package. Before installing or running it: 1) Inspect the flyai-cli package on the npm registry (publisher, popularity, permissions, recent changes). 2) Be cautious with global npm installs and sudo — prefer installing in a controlled environment or ask the user to install manually. 3) Confirm how flyai-cli authenticates (it may require account credentials or create local config files); the skill does not declare or manage those credentials. 4) Expect the CLI to make network calls to Fliggy/third-party APIs (real-time pricing/links). If you cannot verify the CLI package or you are unwilling to install a global CLI, do not install this skill. If possible, run the CLI manually first to observe its behavior and what credentials/config it creates.Like a lobster shell, security has layers — review code before you run it.
aivk978csdtagaywaxh2v992vqzfs83zcs9hotelvk978csdtagaywaxh2v992vqzfs83zcs9latestvk97c4nyaswnwtemsj80nq6bpas842jdktravelvk978csdtagaywaxh2v992vqzfs83zcs9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.