Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
差旅打车
v1.0.0企业用车服务助手,支持即时用车、预约用车、接送机、包车等多种用车场景,提供车型选择、费用预估、订单管理等功能。Invoke when user needs to book a car, schedule a ride, airport transfer, or manage car service orders.
⭐ 0· 28·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, and the two Python modules consistently implement a corporate ride/booking assistant (estimate price, request ride, schedule, airport transfer, cancel, format). Required binary (python3) is appropriate and there are no unrelated dependencies or requested credentials.
Instruction Scope
SKILL.md includes an explicit constraint: '必须调用真实用车平台API获取价格和可用车辆' (must call real platform APIs). However, the provided code (car_service_api.py and openai_adapter.py) implements a local simulator that uses random distance and an internal drivers DB and contains no external endpoints or credential usage. That is an inconsistency: the instructions expect network/credentialed calls but the code does not. SKILL.md also contains unicode-control-chars flagged by the scanner (possible prompt-injection attempt to influence runtime prompts or evaluation).
Install Mechanism
No install spec; skill is instruction + local Python scripts. That is low-risk from an install perspective — nothing is downloaded or extracted from remote URLs and only standard library usage is present in the code.
Credentials
The skill declares no required environment variables or credentials, which matches the included simulator code. But SKILL.md's requirement to call a real ride-platform API implies credentials/endpoints would be needed; those are not declared or provided. This mismatch creates a risk the agent or integrator will be asked to supply platform credentials or endpoints ad hoc, which should be surfaced and justified before use.
Persistence & Privilege
Skill is not configured with always:true and does not attempt to modify other skills or system-wide settings. It exposes functions for a calling agent but does not request persistent privileges.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md contained unicode control characters flagged by the pre-scan. This is not expected for a normal ride-booking skill and may indicate an attempt to influence prompt parsing or hide content. The code files themselves appear normal and do not contain obfuscated payloads.
What to consider before installing
This skill mostly does what it says (a simulated corporate ride assistant) but there are two things to check before installing or granting access: (1) SKILL.md insists on calling a 'real' ride-platform API but the included code only simulates data and does not declare endpoints or request credentials — ask the author which external APIs will be used and require explicit environment variables/endpoints and a privacy/security justification before providing credentials; (2) the SKILL.md contained unicode control characters flagged by the scanner — treat that as suspicious and request a clean copy or explanation. If you plan to connect the skill to a production ride platform, review network calls and credential handling (do not supply secrets until you confirm where they are stored/used), run the code in a sandbox, and consider requiring the maintainer to add explicit config for external API endpoints and authentication.Like a lobster shell, security has layers — review code before you run it.
latestvk976sx242jkbwxw0wv1kc7pq1583yswq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚗 Clawdis
Binspython3