ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tennis Vacation Rater

v1.0.5

Evaluate tennis vacation destinations with structured scoring across transportation, accommodation, weather, and court facilities. Use when users ask about t...

0· 41·0 current·0 all-time
by@edam17
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (tennis vacation rater) match the instructions and reference materials: scoring dimensions, data sources, and report templates all pertain to travel/tennis evaluation. The only external tool mentioned (flyai CLI) is optional and directly related to obtaining real-time flight prices.
Instruction Scope
SKILL.md is instruction-only and stays within the domain: extract user destination, optionally fetch links, collect flight/hotel/weather/court data, compute scores, and produce a report. Note: the link-handling protocol allows optional web access (WebFetch/BrowserOpen) to user-provided links with a 10s timeout — this is expected for the feature but means the agent may attempt to fetch content the user supplies. Also there is minor ambiguity in the price-monitoring text (it describes 'check prices daily at 9 AM' as a monitoring behavior but elsewhere states no automatic background monitoring/cron jobs are created).
Install Mechanism
No install spec or code files are included (instruction-only). The only install suggestion is an optional external npm CLI (@fly-ai/flyai-cli) for live flight prices; installing that CLI is a user action outside the skill and is proportionate to the described capability.
Credentials
The skill requests no environment variables, no credentials, and no config paths. No secret exfiltration indicators are present in the instructions or references.
Persistence & Privilege
always is false and the skill does not request persistent background privileges. The documentation explicitly states it does NOT create automatic cron jobs; however, the marketing/monitoring language could confuse users into expecting ongoing background monitoring—confirm intent with the integrator before relying on continuous alerts.
Assessment
This skill appears to do what it says: evaluate tennis travel destinations and generate structured reports. Before installing or using it: 1) Be aware the agent may attempt to fetch content from any links you provide (WebFetch/BrowserOpen) — don’t paste private credentials or sensitive content into links. 2) The skill may recommend installing a third‑party CLI (@fly-ai/flyai-cli) for real-time fares — vet that package and its publisher before installing. 3) The price-monitoring language contains mixed messages (it describes daily checks but also says no automatic monitoring); confirm with the skill author or test behavior if you expect ongoing alerts. 4) Source is unknown — if you need stronger assurance, ask for provenance or a signed homepage/repo before trusting it in sensitive workflows.

Like a lobster shell, security has layers — review code before you run it.

latestvk97748fvmwkjmyqb5r17jggh8s8439m4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments