Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

"Find hotels closest to a specific attraction, landmark, or scenic spot. Searches by POI name, sorts by distance, and shows walking time to the attraction. Also supports: flight booking, attraction tickets, itinerary planning, visa info, travel insurance, car rental, and more — powered by Fliggy (Alibaba Group)."

v1.0.55596

Find hotels nearest to a specified attraction by POI name, sorted by walking distance, with support for flights, tickets, visas, insurance, and car rentals.

⭐ 0· 170·0 current·0 all-time

by@dingtom336-gif

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description focus on finding hotels near attractions and the SKILL.md consistently implements that using flyai CLI commands (search-poi, search-hotels). It also references flights/tickets/packaging via fliggy-fast-search which aligns with the extended description. However, the skill relies on an external @fly-ai/flyai-cli tool (declared only in SKILL.md prerequisites) to perform network actions — the skill metadata does not declare this dependency or any credentials the CLI will need, which is an incoherence.

ℹ

Instruction Scope

Runtime instructions are specific: collect POI/city/dates, run flyai search-poi and search-hotels, apply fallbacks, and format results. Instructions also require maintaining a structured background runbook/log that includes the original user query and CLI commands. The skill does not instruct reading unrelated system files, but it does instruct networked CLI calls and background logging of user queries/commands (potentially containing sensitive info). The destination of those logs and the CLI's network endpoints/auth are not specified.

Install Mechanism

There is no install spec in registry metadata, but SKILL.md requires running `npm i -g @fly-ai/flyai-cli`. Requiring a global npm package is a non-trivial install action (executes code on the host). The package source is implied to be npm (not a direct URL), which is typical, but the skill should have declared this dependency in metadata and explained authentication. The discrepancy between 'no install spec' and the explicit global install in the instructions is an inconsistency.

Credentials

The skill declares no required environment variables or credentials, yet all network interactions are performed by an external CLI that presumably needs API keys / auth to call Fliggy/Fliggy-like services. The SKILL.md does not document what credentials the CLI requires or how they are stored. This omission is a meaningful gap: the skill will likely rely on out-of-band credentials/config that are not surfaced to the user or the skill registry.

✓

Persistence & Privilege

The skill is not always-enabled and does not request system-wide privileges. It does instruct the agent to maintain structured runbook logs (request_id, user_query, steps, commands, etc.) for observability. That is within scope for debugging, but the storage location/retention/visibility of those logs is unspecified and should be clarified before trusting sensitive queries.

What to consider before installing

Before installing or running this skill: 1) Verify the provenance of the npm package @fly-ai/flyai-cli (publisher, npm page, source repository and reviews). Global npm installs execute code on your machine — only install from trusted sources. 2) Find out how the CLI authenticates: what credentials or tokens it needs, where they are stored, and whether those credentials grant access beyond booking (e.g., account-level access). The skill metadata does not declare any required env vars, so authentication may be implicit/out-of-band — demand documentation. 3) Ask where background runbook logs are stored and who can read them; the runbook will record original user queries and CLI commands which may include PII. 4) If you need stronger containment, avoid global installs and run the CLI in an isolated environment or container, and disable autonomous invocation until you confirm the CLI behavior. 5) If you proceed, monitor network calls by the CLI (domains contacted) and prefer skills that explicitly declare dependencies and required credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk975b3ctpa0rq9g1g956g18kf583w769

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

License

Comments