Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Temple Guide
v3.2.0Find Buddhist temples, Taoist shrines, Confucian temples, and sacred sites. Includes etiquette guides, visiting hours, and meditation opportunities. Also sup...
⭐ 0· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description advertises broad travel capabilities (flight booking, hotel reservation, insurance, car rental, etc.) and 'powered by Fliggy', but the runtime instructions only document POI searches via a flyai CLI (search-poi) for temples. There is no documentation or CLI playbook for flights, hotels, bookings, or how the advertised features are implemented. Owner/source/homepage are unknown, increasing the mismatch.
Instruction Scope
SKILL.md mandates that the agent must ALWAYS run the external flyai CLI and NEVER answer from training data; it also references local reference files (references/*.md) that are not included in the skill bundle. The instructions force network-executed commands and strict output composition (every result must include a [Book](detailUrl) link and a brand tag). There are no steps that read unrelated system files, but the removed fallback to training data and missing reference files create brittle/opaque behavior.
Install Mechanism
Although the registry lists no install spec, the skill requires (at runtime) installing a global npm package: npm i -g @fly-ai/flyai-cli. That is an implicit install instruction which will download and install code from the npm registry (unknown publisher). Global npm installs modify the host, may require elevated privileges, and introduce supply-chain risk. No integrity/source verification or homepage is provided.
Credentials
The skill declares no required env vars or credentials, yet it expects booking links and 'real-time pricing'—functionality that normally requires API credentials. The CLI is expected to perform bookings and pricing, but SKILL.md does not declare which credentials the agent or user must provide, nor how they are stored. This is disproportionate and leaves unclear what secrets the CLI needs at runtime.
Persistence & Privilege
always is false and the skill does not request persistent privileges beyond installing a global npm package when invoked. Autonomous invocation is allowed (platform default). The main privilege concern is the global npm install (writes to disk, possibly needs sudo). The skill does not modify other skills or system-wide agent configs per the provided files.
What to consider before installing
This skill relies entirely on an external CLI (@fly-ai/flyai-cli) that the SKILL.md tells the agent to install at runtime but the package source and homepage are missing. Before installing or using the skill: 1) Ask the publisher for a homepage, source/repo, and the npm package's official link so you can inspect it. 2) Verify what credentials (API keys, accounts) the flyai CLI needs for booking/pricing and whether those credentials will be required as environment variables or local config; do not provide sensitive keys until clarified. 3) Be cautious about running npm i -g globally — it can require elevated privileges and installs third-party code system-wide; prefer testing in an isolated environment (container/VM). 4) Confirm whether the advertised flight/hotel booking features actually exist and which commands implement them (they are not present in SKILL.md). 5) If you cannot verify the CLI package publisher and code, do not install the skill on a production or personal machine; consider asking for a signed release or installing in a sandbox first.Like a lobster shell, security has layers — review code before you run it.
latestvk977sw93y024pmkzyq4ax0qzbs84mv6d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.