Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
打车比价
v1.0.0企业用车服务助手,支持即时用车、预约用车、接送机、包车等多种用车场景,提供车型选择、费用预估、订单管理等功能。Invoke when user needs to book a car, schedule a ride, airport transfer, or manage car service orders.
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md explicitly requires calling real car‑service platform APIs and forbids fabricating prices/vehicle info, but the bundled Python modules implement a fully simulated service (random distance calculation, in-memory driver DB, no network/API integration). That mismatch means the shipped code does not deliver the declared external integration capability and could mislead users expecting real bookings/real-time availability.
Instruction Scope
The instructions constrain the agent to use real platform APIs and not invent data, but the provided runtime instructions and adapter call local functions only. The SKILL.md also triggered a 'unicode-control-chars' pre-scan signal (hidden control characters were detected), which could indicate an attempt to influence parsing or evaluation. The instructions do not request unrelated system files or credentials, however the mismatch between required behavior and actual code is a scope/integrity issue.
Install Mechanism
No install spec — instruction-only deployment with two Python scripts included. Required binary python3 is proportional. There are no remote downloads or unusual install steps in the metadata.
Credentials
The skill declares no environment variables, no credentials, and the code does not reference external API keys or secret environment variables. This is consistent with the included simulated implementation, but inconsistent with the SKILL.md requirement to call real platform APIs (which would normally require credentials).
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent platform privileges. It runs as a local Python module and keeps state in memory (orders dict); it does not modify other skills or system configuration.
Scan Findings in Context
[unicode-control-chars] unexpected: The pre-scan flagged hidden/unicode control characters in SKILL.md. This is not expected for a ride‑booking skill and may be an attempt to manipulate parsing or evaluation. Inspect the SKILL.md raw bytes for invisible characters before trusting automated analysis.
What to consider before installing
This skill is inconsistent: its documentation requires calling real ride‑hailing platform APIs and forbids fabricating prices, but the included code fakes distances/drivers and has no network/API integration. The source is unknown and SKILL.md contains hidden unicode control characters (possible injection). Before installing or using for real bookings: (1) ask the author for the authoritative integration code or API endpoint names and required credentials; (2) request that the skill use secure HTTPS endpoints and read API keys only from declared environment variables; (3) review the full, untruncated source for any hidden behavior (search for network calls, subprocess.exec, filesystem writes, or obfuscated strings); (4) do not use this skill to place real orders until it is verified to call trusted providers and to handle credentials securely; (5) consider running the code in a sandboxed environment for dynamic testing. If the author cannot justify the mismatch between docs and code, avoid using it for production/financial actions.Like a lobster shell, security has layers — review code before you run it.
latestvk9749cdnaejc4tee8srz38mgyh83zqse
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚗 Clawdis
Binspython3