ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Choice

v1.0.5

帮助用户搜索并预订Choice Hotels旗下酒店,查询优惠及管理会员权益,主要覆盖美国市场。

0· 97·0 current·1 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The metadata and description claim operational capabilities (searching and booking hotels, querying offers, managing member benefits). However the skill requests no credentials, no APIs, and the SKILL.md is only an encyclopedia-style help page describing the brand. This is a clear mismatch between stated purpose and actual capabilities.
!
Instruction Scope
SKILL.md only defines when to read the skill and provides static content sections (brand story, product matrix, footprint, industry observation). There are no runtime instructions to call Choice APIs, perform searches, make bookings, or handle user credentials. The instructions do not perform the tasks the description promises.
Install Mechanism
Instruction-only skill with no install spec and no code files. This has low installation risk since nothing is written to disk or fetched during install.
!
Credentials
No environment variables, credentials, or config paths are requested despite the description implying actions (booking, membership management) that normally require API keys, OAuth tokens, or user credentials. The absence of expected credentials is inconsistent with the claimed functionality.
Persistence & Privilege
Skill is not always-enabled and uses default agent invocation settings. It does not request persistent system privileges or modify other skills' configurations.
What to consider before installing
This skill is inconsistent: it advertises booking and membership features but only supplies static brand information and no integration steps. Don’t assume it can actually search or book hotels or access your Choice account. Before installing or using it for transactions, ask the seller/developer for: (1) the integration method (API/OAuth) and documentation, (2) what credentials it will need and why, and (3) a homepage or source repository to verify authenticity. If you need real booking capabilities, prefer a skill that documents the API endpoints and required credentials, or one provided by an official/verified source. Avoid providing any sensitive credentials until those details are confirmed.

Like a lobster shell, security has layers — review code before you run it.

latestvk972kz1ysmn2wy1brpa0t2j9pn84w7sd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments