ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

American Airlines

v1.0.4

提供美国航空航班搜索、预订、在线值机、会员里程查询、升舱、奖励机票兑换及贵宾室信息服务。

0· 82·0 current·1 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill description (flight search, booking, online check-in, mileage queries, upgrades, award redemptions, lounge info) implies integrations with airline systems and credentialed APIs. However the skill requires no env vars, no binaries, no install, and its SKILL.md only provides static brand/company information. The requested capabilities do not align with what the skill actually implements.
!
Instruction Scope
SKILL.md contains only a short informational guide about the brand (history, business, market) and read_when triggers. It contains no instructions to call airline APIs, perform bookings, access credentials, or contact external endpoints. That narrow scope is safe technically but is inconsistent with the advertised transactional functionality — either the description is overstated or the implementation is missing.
Install Mechanism
No install spec and no code files (instruction-only). This is low-risk from an install/execution perspective because nothing is downloaded or written to disk.
Credentials
The skill declares no required environment variables, credentials, or config paths. Given the actual instructions (static info), this is proportionate. If the skill later claims booking features, credential requests would be expected but are currently absent.
Persistence & Privilege
Defaults are used (not always: true). The skill can be invoked by the agent but does not request persistent privileges or attempt to modify other skills or system configuration.
What to consider before installing
Don't assume this skill can search, book, or check in for flights — its description promises transactional airline features but the implementation only provides static company info. If you need booking or account-related actions, prefer the official American Airlines website or app. Before installing or using this skill, ask the publisher for clarification: where are the API integrations, what credentials (if any) will be required, and is there a homepage or source repo? If the skill later requests your airline credentials or payment information, treat that as high-risk unless the source is verified.

Like a lobster shell, security has layers — review code before you run it.

latestvk9708wms9tnfd5yjd15p0vxgg184x7qw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments