ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Accor

v1.0.6

雅高酒店集团介绍和预订指南

0· 89·1 current·1 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description mentions '介绍和预订指南' (introduction and booking guide), but the SKILL.md only contains a brand profile and prompts for high-level information; there are no instructions for booking workflows, APIs, credentials, or steps to complete reservations. This is a mismatch between advertised capability and actual instructions.
Instruction Scope
SKILL.md is limited to presenting a brand profile and includes 'read_when' triggers. It does not instruct the agent to read local files, access environment variables, make network calls, or transmit data to external endpoints beyond recommending official channels. Scope is narrow and well-contained.
Install Mechanism
No install spec and no code files (instruction-only). Nothing is written to disk or downloaded at install time.
Credentials
The skill declares no required environment variables, credentials, or config paths — proportional to the SKILL.md which only provides informational content.
Persistence & Privilege
always is false and the skill does not request elevated or persistent privileges. It is user-invocable and can be invoked autonomously (platform default), which is expected for skills.
What to consider before installing
This skill appears low-risk because it is instruction-only, requests no credentials, and doesn't install code. However, its description promises booking guidance while the runtime instructions only provide a brand profile. Before installing or using it for reservations: (1) verify booking steps and prices on Accor's official site rather than relying on this skill, (2) ask the skill author to clarify or add booking-specific instructions and any required API credentials if booking automation is intended, and (3) avoid sharing sensitive payment or account details to the skill unless it explicitly documents a secure, verifiable integration.

Like a lobster shell, security has layers — review code before you run it.

latestvk973gn9d0vsxsnsyfmbk6k0c7d84x15k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments