ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

帮我说服 TA

v1.0.1

旅行提案生成器,帮用户生成一份用真实数据说服伴侣/老板/爸妈/朋友的旅行方案。调用FlyAI获取机票酒店景点真实价格,针对性击破顾虑,可直接转发微信。触发词:帮我说服、旅行提案、怎么说服、太贵了怎么办、帮我写个方案。

0· 71·0 current·0 all-time
byhello_hang@hello-ahang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description claim to fetch real prices from FlyAI and produce shareable proposals; the SKILL.md indeed uses flyai search-flight/search-hotel/search-poi and templates. Requiring a FlyAI CLI is coherent. However the skill reads/writes a local user profile file (~/.flyai/user-profile.md) and instructs global npm installation; those are reasonable for a CLI-backed assistant but the manifest declared no required config paths or credentials — mismatch between declared metadata and actual instructions.
!
Instruction Scope
Instructions tell the agent to (a) install a global npm package, (b) run flyai CLI commands prefixed with NODE_TLS_REJECT_UNAUTHORIZED=0 (disables TLS verification), (c) read/write a local file at ~/.flyai/user-profile.md or call search_memory/update_memory. The local file IO (create/read/update) is outside the manifest’s declared config paths and expands scope. The repeated recommendation to bypass SSL verification is a significant red flag (increases MITM/exfiltration risk). There are also minor inconsistencies in package references (e.g., @fly-ai/flyai-cli vs @anthropic-ai/flyai-cli in docs).
Install Mechanism
No formal install spec in registry metadata, but SKILL.md instructs running npm install -g @fly-ai/flyai-cli@latest. Installing from the public npm registry is plausible for CLI usage (moderate risk). The instruction to install globally and to suggest sudo for permission issues raises operational caution (avoid running as root). Overall install approach is expected for acquiring a CLI but should be treated as code execution from the network.
!
Credentials
Manifest declares no environment or credential requirements, and none are required to be provided — which aligns with no API keys. However SKILL.md repeatedly uses NODE_TLS_REJECT_UNAUTHORIZED=0 to bypass TLS; that is an environment-setting that weakens security and is not justified by the described purpose. The skill also will read/write ~/.flyai/user-profile.md (persistent user data) without declaring required config paths — this access should have been declared and justified.
Persistence & Privilege
always:false (good). The skill documents persistent local storage (~/.flyai/user-profile.md) and uses platform memory APIs when available; storing user preferences is coherent. However the skill instructs creating and updating files in the user's home directory and updating 'memory' — those are persistent behaviors the user should consent to. The skill does not request elevated platform privileges, but its persistence combined with network install and TLS bypass increases blast radius.
Scan Findings in Context
[unicode-control-chars] unexpected: Scanner detected unicode control characters (prompt-injection pattern) inside SKILL.md. This is not needed for a travel-proposal skill and could indicate attempt to manipulate prompt parsing or conceal content; review the raw file for hidden/control characters before trusting.
What to consider before installing
What to consider before installing: - TLS bypass: The skill recommends running FlyAI CLI commands with NODE_TLS_REJECT_UNAUTHORIZED=0 to ignore SSL certificate errors. This is unsafe — it disables TLS verification and makes network traffic susceptible to man-in-the-middle attacks. Ask the author why this is necessary; do not run in production or on machines with sensitive data while TLS is disabled. - Global npm install: The SKILL.md asks you to run npm install -g @fly-ai/flyai-cli@latest. Installing a global package executes code from the network. Inspect the package on npm (publisher, source repository, recent versions, user reviews) before installing. Prefer installing in a sandboxed environment or using npx without global install, and avoid using sudo. - Local file access: The skill reads/writes ~/.flyai/user-profile.md. The registry metadata did not declare this config path. If you keep sensitive info in your home directory, be aware this skill will create and modify files there. Consider using a disposable environment or review the exact file operations the agent will perform. - Memory APIs and persistence: The skill uses search_memory/update_memory when available. If you are on a platform providing persistent memory, confirm what is stored and whether you consent to saving travel preferences. - Minor inconsistencies: Docs reference differing package names (e.g., @fly-ai/flyai-cli vs @anthropic-ai/flyai-cli). Ask the author to clarify expected CLI package and supply a canonical source (GitHub repo or official homepage). - Prompt-injection signal: The scanner found unicode control characters in SKILL.md — review the raw content to ensure there are no hidden or malicious control sequences. Recommended actions: review the FlyAI CLI source on npm/GitHub, run the CLI in an isolated/test environment first, refuse to set NODE_TLS_REJECT_UNAUTHORIZED in persistent shells, and ask the skill author to declare config paths and explain the TLS bypass. If you lack the ability to audit the CLI, avoid installing this skill system-wide.

Like a lobster shell, security has layers — review code before you run it.

latestvk973qxxred5mztevv6ez560s29844r7v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments