ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

hotel-booking

v1.0.0

分贝通酒店预定助手,实时查询搜索酒店、展示酒店列表、查询酒店房型、展示房型产品和报价、预定酒店、查看订单、取消订单、查看酒店基础信息和酒店评论信息。

0· 74·0 current·0 all-time
byfenbeitong-trip@gaogao605·duplicate of @gaogao605/hotel-booking
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, included scripts (fb_hotel_api.py, openai_adapter.py, formatter.py), and required binary (python3) align: the code wraps a single external API (app-gate.fenbeitong.com) and implements search, price query, create/cancel order, and token storage as described.
Instruction Scope
Runtime instructions require authenticating via phone/captcha and storing an access token in ~/.fbt-auth.json; all API calls go to the documented fenbeitong endpoint. The skill reads/writes only that auth file and makes network requests to the stated service. Note: the SKILL.md explicitly requires use of scripts/fb_hotel_api.py and forbids fabricating results (so agent will call the external API).
Install Mechanism
There is no remote download/extract install spec. A requirements.txt lists common packages (requests, pyyaml, python-dotenv) — reasonable for a Python client. No suspicious external URLs or archive extraction are present.
Credentials
The skill requests no environment variables and uses only a per-user auth file (~/.fbt-auth.json). Points to consider: (1) a DEFAULT_ACCESS_TOKEN is hardcoded in fb_hotel_api.py (labeled as a test token), and (2) tokens are stored in plaintext in the user's home directory and auto-read by the client — expected but a privacy consideration. No unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request system-wide changes or modify other skills. Its only persistent artifact is the auth file in the user's home directory (normal for storing an access token).
Assessment
This skill appears to do exactly what it says: it calls 分贝通 (fenbeitong) APIs and stores a per-user access token in ~/.fbt-auth.json. Before installing, consider: (1) Do you trust the endpoint app-gate.fenbeitong.com and the publisher? (2) Tokens are written in plaintext to your home directory — delete or rotate them if you stop using the skill. (3) The package uses Python and requires requests/pyyaml/python-dotenv; run it inside an isolated virtualenv. (4) The code contains a hardcoded DEFAULT_ACCESS_TOKEN (test token) — avoid relying on it for production. If you need stronger protections, request that the skill encrypt token storage or use a platform-managed secret store.

Like a lobster shell, security has layers — review code before you run it.

latestvk978rcxmjs0zw4wgsxc77ca1jn83mzmx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏨 Clawdis
Binspython3

Comments