Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
帮我凑假
v1.0.1智能拼假日历助手,帮助用户计算最优请假方案。输入目的地、可请假天数和出发城市,自动生成拼假方案并查询机票价格。当用户提到"凑假"、"拼假"、"请假方案"、"怎么请假划算"、"假期规划"时使用。
⭐ 0· 71·0 current·0 all-time
byhello_hang@hello-ahang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (拼假日历、计算请假方案并查询机票/酒店) match the skill's instructions: it calls search-flight, search-hotel, keyword-search and computes holiday/ weekend combinations. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime steps are narrowly scoped to: (1) install/upgrade the FlyAI CLI via npm, (2) read user preferences from Qoder memory or a specific local file (~/.flyai/user-profile.md), (3) collect trip parameters from the user, (4) compute拼假方案 and query flights/hotels/POI. This stays within the stated purpose, but it does explicitly read/write a local file and call memory APIs — both have privacy implications (personal data storage).
Install Mechanism
The SKILL.md requires running npm install -g @fly-ai/flyai-cli@latest from the public npm registry. This is a common approach for CLI tools but is a moderate-risk install: global npm packages can run install scripts and write to disk. The instruction is expected for the skill but users should verify the package source before installing globally.
Credentials
No environment variables, secrets, or unrelated credentials are requested. The only non-network resources accessed are Qoder memory APIs (if available) and the local file path ~/.flyai/user-profile.md for profile storage — which is proportional for personalization but may store PII, so users should avoid saving sensitive documents in that file.
Persistence & Privilege
The skill is not always-on and does not request elevated platform privileges. It may create and modify files under its own ~/.flyai directory or update Qoder memory (if available), which is reasonable for a personalization feature and limited in scope.
Assessment
This skill appears to do what it says: compute leave/holiday combos and query travel data. Before installing or enabling it, consider: 1) npm install -g will download and run a third‑party package globally — review the package (repository, maintainers, install scripts) or install in a controlled environment rather than globally; 2) the skill may read/write ~/.flyai/user-profile.md (personal preferences); do not store sensitive information (IDs, passports, payment data) there and review the file contents periodically; 3) if your agent environment supports Qoder memory, the skill will try to read/update it — confirm you’re comfortable with the memory storage behavior; 4) if you need tighter control, ask the developer for a non-global install option or a way to disable automatic saves. Overall the skill is internally consistent (benign) but exercise the usual caution around installing third‑party CLI tools and storing personal data.Like a lobster shell, security has layers — review code before you run it.
latestvk971z47kra6vennde7wjfq63hx845s4r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.