Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
United
v1.0.1提供联合航空航班搜索、预订、值机、航班管理及MileagePlus会员服务,支持里程兑换和贵宾室查询等功能。
⭐ 0· 64·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill description claims flight search, booking, check-in, MileagePlus membership operations and mile redemption — capabilities that normally require API access, payment handling, or user credentials. The SKILL.md contains only a static 'information station' for United (history, business scope, news) and no runtime steps, API calls, or credential handling. This is a clear mismatch between claimed purpose and actual instructions.
Instruction Scope
The SKILL.md itself is benign and narrowly scoped: it instructs the agent to present company information and suggests visiting the official site. It does not ask the agent to read files, access environment variables, or transmit user data.
Install Mechanism
No install spec and no code files are present (instruction-only). That minimizes installation risk — nothing is downloaded or written to disk by the skill itself.
Credentials
The description implies needing credentials or payment/payment-API access for bookings and MileagePlus operations, but requires.env and primary credential fields are empty. Either the skill is only informational (in which case the description is misleading), or required credentials are missing from the manifest. Both possibilities are concerning because they leave unclear whether user credentials would be requested later.
Persistence & Privilege
The skill is not force-installed (always: false) and does not request persistent privileges or modify other skills. Autonomous invocation is allowed (platform default) but not, by itself, an additional red flag here.
What to consider before installing
This skill's metadata and description promise interactive airline features (booking, check-in, mileage actions) but the provided runtime instructions only deliver generic company information. Before installing: 1) Do not provide account credentials or payment info — the skill manifest doesn't declare any credential needs and there's no homepage or source to verify. 2) Ask the publisher to clarify which features are actually implemented and to provide documentation (API endpoints used, required env vars, privacy policy). 3) Prefer skills that list their install steps, required permissions, and a verifiable homepage or source. If you expect transactional features (booking/check-in/mileage), treat this skill as informational only until the developer supplies proof of secure, documented integration.Like a lobster shell, security has layers — review code before you run it.
latestvk975cfpyj3y6k5jf66shezbsq584wz6k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.