Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Budget Traval Plan
v1.0.0Discover random budget travel destinations with cheap flights and hotels. Finds "hidden gem" deals by searching for lowest-priced flights and accommodations,...
⭐ 1· 52·0 current·0 all-time
byFishhao@fishhao123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose—finding cheap flights/hotels and producing travel plans—matches the SKILL.md workflow. However the instructions rely on an external CLI ('flyai' with commands like search-flight, search-hotel, keyword-search, search-poi) and call other skills (travel-planner, docx, pdf) that are not declared in the registry metadata (no required binaries, no dependencies listed). That mismatch is a configuration/expectation gap (the skill expects runtime capabilities that aren't declared).
Instruction Scope
The SKILL.md stays on-topic: it collects user preferences, searches flights/hotels/POIs, scores deals, and generates itineraries. It does reference external booking/image URLs and affiliate-looking links in examples (a.feizhu.com, img.alicdn.com) but does not instruct the agent to read unrelated local files or environment variables. The main scope concern is the implicit use of external tools/APIs (flyai CLI and other skills) that could access network resources—expected for a travel skill but not documented in the skill metadata.
Install Mechanism
This is instruction-only with no install spec and no code files, which is low-risk from an install mechanism perspective. Nothing will be written to disk by this package itself. The risk comes from the undefined external tooling it assumes (see purpose_capability).
Credentials
The skill declares no environment variables or credentials (good for minimal privilege). However, its instructions imply use of external services (flyai CLI, booking/image links, other skills) which may require API keys or credentials at runtime. The absence of any declared credential requirements is an omission — either the environment must already provide flyai and any keys, or the skill relies on unauthenticated public scraping. Verify how 'flyai' authenticates and whether additional secrets will be needed or accessed.
Persistence & Privilege
The skill does not request always:true, does not declare any persistent config changes, and is user-invocable. It does allow autonomous invocation (platform default) but combined with the other notes this is not by itself a new risk.
What to consider before installing
This skill looks like a straightforward travel-deals helper, but its SKILL.md assumes an external CLI named 'flyai' and other skills (travel-planner, docx, pdf) without declaring them. Before installing: 1) Ask the publisher what 'flyai' is and whether it will be present on your agent (and how it authenticates). 2) Confirm whether any API keys or credentials are required at runtime and how they are stored/used. 3) Verify the source/origin (there is no homepage and owner ID is opaque). 4) Be aware booking links in examples may be affiliate or third-party URLs—confirm link destinations and privacy implications. If you cannot verify the external tooling/credentials or the publisher, treat this as higher risk and do not enable it in sensitive or auto-invoked contexts.Like a lobster shell, security has layers — review code before you run it.
latestvk976wyp3xxpmhz5hzk3j22eeax8431vw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.