Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
即时用车
v1.0.0企业用车服务助手,支持即时用车、预约用车、接送机、包车等多种用车场景,提供车型选择、费用预估、订单管理等功能。Invoke when user needs to book a car, schedule a ride, airport transfer, or manage car service orders.
⭐ 0· 29·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description (enterprise ride booking) matches the provided functionality (price estimates, booking, airport transfer). However, SKILL.md explicitly requires calling a real ride-platform API, while the bundled Python code implements a simulated/local CarServiceApi and does not include connectors, endpoints, or any declared environment variables for external service credentials — this mismatch is unexplained.
Instruction Scope
SKILL.md instructs the agent that it 'must call real platform APIs' and forbids fabricating prices/vehicles, yet the instructions + shipped code operate with simulated data and random distance generation. The instructions may expect network calls and credential usage, but the actual instructions and code do not show where or how real API calls or credential handling would occur. Additionally, a prompt-injection pattern (unicode-control-chars) was detected in SKILL.md, which could indicate an attempt to influence the runtime evaluator or agent behavior.
Install Mechanism
No install spec (instruction-only) and only requires python3 to run the included scripts — no external downloads or obscure installers were found.
Credentials
The skill declares no required environment variables or primary credential, yet its own instructions demand integration with a real ride platform (which normally requires API keys/URLs). The absence of declared env vars or config paths for platform credentials is inconsistent and leaves unclear how the skill will authenticate to real services if installed.
Persistence & Privilege
The skill does not request elevated persistence (always:false) and does not appear to modify other skills or system settings. Autonomous invocation remains allowed by platform default, which is normal.
Scan Findings in Context
[unicode-control-chars] unexpected: Control/unicode injection patterns were detected inside SKILL.md; this is not expected for a plain service description and could be an attempt to influence the evaluator or agent. Review the raw SKILL.md for hidden control characters before trusting the instructions.
What to consider before installing
This skill looks like a mock/demo of an enterprise ride-service (simulates drivers, pricing, and orders) but its own documentation insists it must call a real ride-platform API. Before installing or using it: (1) ask the author how and where to configure real platform endpoints and API credentials — do not provide secrets until you confirm secure handling; (2) inspect the full source (including truncated sections) to verify there are no hidden network calls that exfiltrate data or hard-coded credentials; (3) remove or inspect any unicode control characters in SKILL.md (they may hide instructions or alter parsing); (4) if you expect real bookings, require that the skill declare/expect environment variables for API keys and TLS endpoints and add secure error/consent handling; (5) if you don't trust the source, treat this as a local simulator only and do not run it with real credentials or on production systems.Like a lobster shell, security has layers — review code before you run it.
latestvk9782jengk6ep30c8vac7p1vnx83y26y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚗 Clawdis
Binspython3