Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Luxury Travel Plan
v1.0.0Curate ultra-luxury travel experiences for discerning travelers seeking the finest accommodations, first-class flights, private jets, luxury cruises, and exc...
⭐ 0· 62·0 current·0 all-time
byFishhao@fishhao123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and the provided templates/examples align with a luxury travel curation skill. However, the SKILL.md explicitly uses a 'flyai' CLI in its search guide but the skill metadata declares no required binaries — that's an internal inconsistency (the skill likely expects a tool that isn't declared).
Instruction Scope
Runtime instructions direct the agent to perform web searches via 'flyai keyword-search' commands and to verify booking links. That means the agent will execute shell/CLI searches and follow external links; the SKILL.md gives broad discretion (search top resources, verify links) which could lead to network retrievals and interacting with third-party pages. Those behaviors are within the skill's purpose but the reliance on an undeclared CLI and open-ended link verification increases risk if you don't control the runtime environment.
Install Mechanism
No install spec and no code files — lowest risk from installation. Nothing will be written to disk by the skill itself during install. The remaining risk is runtime (CLI/HTTP) rather than install-time.
Credentials
The skill requests no environment variables or credentials, which is appropriate for a content/template skill. However, the use of 'flyai' suggests a missing declared dependency that may in practice require credentials or a configured CLI. The skill does not declare or ask for such credentials, creating a proportionality/visibility gap.
Persistence & Privilege
The skill does not request always:true, does not require system config paths, and is user-invocable only. It does allow normal autonomous invocation (platform default), but that alone is not a red flag here.
What to consider before installing
This skill appears to be a legitimate luxury travel content/template pack, but exercise caution for these reasons:
- Undeclared CLI dependency: The SKILL.md instructs use of a 'flyai' command-line tool, yet the skill metadata lists no required binaries. Ask the author: does this skill require the 'flyai' CLI or other tools? If so, those should be declared and you should vet that binary.
- Network activity & link verification: The skill instructs the agent to search, fetch, and verify external booking links. If the agent is allowed to access the network or run shell commands, it may follow external URLs. Only enable this skill in environments where outbound network activity and CLI execution are acceptable.
- Unknown origin: There is no homepage or publisher information. If you plan to use it for real bookings, prefer skills from known authors or request provenance/changes. Watch for affiliate or tracking links in outputs.
- Safe usage recommendations: (1) Ask the skill author to declare dependencies (flyai) and required credentials if any. (2) Test the skill in a sandboxed environment first. (3) Restrict autonomous invocation or limit network access if possible. (4) Never provide personal credentials or payment details to the agent; handle bookings through vetted, trusted providers.
If the author confirms no external CLI/credentials are required and you trust the source, the skill is reasonable for generating luxury travel proposals; otherwise treat it cautiously or refuse installation.Like a lobster shell, security has layers — review code before you run it.
latestvk975jpqpxx5s0tgyzds8f7ygad840ad9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.