ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

酒店比价

v1.0.0

酒店比价助手,对比携程、美团、同程、去哪儿、华住会、锦江会、飞猪等OTA平台相同酒店房型价格,给出最优推荐。Invoke when user wants to compare hotel prices across multiple OTA platforms or find the best hotel deal.

0· 69·0 current·0 all-time
byfenbeitong-trip@gaogao605
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's description requires calling multiple OTA APIs to obtain real prices. The code includes per-OTA fetch methods, but those methods are TODO stubs returning empty lists (no real API calls implemented). The package requests network access (requests.Session) but declares no credentials or API keys even though most OTA integrations require keys/cookies or scraping credentials. Required binary is only python3 — that's plausible but insufficient for the stated capability.
!
Instruction Scope
SKILL.md explicitly mandates 'must call OTA APIs' and 'do not fabricate prices', but runtime code as provided will not fetch OTA prices (stubs). The instructions do not ask the agent to read unrelated files or secrets, which is good, but they assume access to OTA APIs without specifying how credentials or authentication will be provided. That mismatch grants the agent unclear discretion (e.g., how to authenticate or where to fetch data).
Install Mechanism
No install spec — lowest risk for arbitrary downloads. However, the Python scripts import the requests library but the skill does not declare or install that dependency; running may fail or implicitly rely on environment-wide packages. No external URLs, installers, or archive extraction are present.
!
Credentials
The skill declares no required environment variables or credentials, but real OTA API access typically requires API keys, tokens, or cookies. The absence of any credentials is disproportionate to the claimed real-time API functionality and leaves unclear how authentication will be handled — either the skill is incomplete or it expects secrets to be supplied out-of-band (not declared), which is a red flag for coherence and for potential ad-hoc secret usage.
Persistence & Privilege
The skill does not request permanent/always installation and does not modify other skills or system settings. It is user-invocable and allows model invocation (normal default). No elevated persistence or privileges are requested.
What to consider before installing
This skill's goal (real-time cross-OTA price comparison) is plausible, but the shipped code does not implement the actual OTA queries and requests no API credentials — that's an implementation mismatch. Before installing or running: (1) ask the author how OTA authentication is provided (API keys, cookies, or scraping) and where credentials should be stored; (2) request fully implemented fetch methods or tests showing real queries to each OTA; (3) confirm dependency requirements (requests library) and run in a sandboxed environment to limit risk; (4) review any network endpoints the code will call once fetch methods are implemented; (5) do not supply high-privilege secrets (AWS, payment, or unrelated tokens) unless you validate they are necessary and handled securely. If the author cannot explain how authentication and real data fetching are handled, treat the skill as incomplete and avoid using it with sensitive credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97996ewjgrt356mrpsy741hqd83w91t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏨 Clawdis
Binspython3

Comments