Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Voyage
v2.3.0Travel planning, itinerary construction, and reservation management. Use when the user wants to plan a trip, build an itinerary, find lodging or restaurants,...
⭐ 0· 156·0 current·0 all-time
byIndigo Karasu@indigokarasu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (travel planning, itineraries, reservations) aligns with the instructions to build plans, persist state, and recommend lodging/food/activities. However, the SKILL.md includes a self-update mechanism that downloads and extracts a GitHub tarball and uses gh/api commands — those capabilities are beyond simple itinerary construction and should have been declared (required binaries/permissions).
Instruction Scope
Runtime instructions include creating and writing files under ~/openclaw/data and ~/openclaw/journals (expected), registering a cron job to run daily, and a self-update flow that fetches remote skill.json and a tarball from a GitHub repo, then extracts/installs it. The file lists also mention optional cooperation with other skills (Sift, Taste, Weave) which could imply reading external skill data, but the instructions do not clearly limit or justify cross-skill access.
Install Mechanism
There is no install spec (instruction-only), which is low friction. But the self-update flow downloads a GitHub tarball and extracts it locally — this writes code to disk and effectively installs updates from a remote repo at runtime. Using GitHub as the source is reasonable, but self-updating behavior increases risk and should be explicit in metadata.
Credentials
skill.json declares no required env vars or credentials, yet the SKILL.md self-update steps call out `gh api` and base64/python processing; those commonly require the GitHub CLI and possibly authentication (GH_TOKEN) which are not declared. Also, optional cooperation with Taste/Weave implies access to other skills' data/models but no additional filesystem or credential access is declared. The absence of declared required binaries (gh, tar, python3, base64) and any GH auth requirement is a mismatch.
Persistence & Privilege
The skill persistently writes state, journals, and decision logs under home directories (declared in skill.json), and it registers a daily cron job to run `voyage.update`. Persisted cron-based self-updates give the skill ongoing ability to change its code and behavior without interactive consent; that increases the long-term blast radius and should be considered before enabling.
What to consider before installing
What to consider before installing:
- Self-update and cron: The skill will register a daily cron job and can pull and extract code from the specified GitHub repo at runtime. That means the skill can change its code automatically — if you don't trust the repo or want silent updates, disable auto-update or remove the cron.
- Undeclared binaries/credentials: The SKILL.md uses CLI commands (gh, tar, python3, base64) and may require GitHub authentication (GH_TOKEN) but the skill metadata does not declare these requirements. Confirm these tools are present and understand what credentials (if any) will be used.
- Persistence and data written: The skill writes plans, decisions.jsonl, events, and journals to ~/openclaw/data/ocas-voyage and ~/openclaw/journals/ocas-voyage. Ensure you are comfortable storing potentially sensitive trip/reservation info there.
- Cross-skill access: The skill says it may cooperate with other skills (Taste, Sift, Weave). Ask or inspect how that cooperation is implemented and whether it reads other skills' private data or tokens.
- Review the source: Because the skill can self-update from the GitHub repo, review the repository (or pin to a commit/tag) and prefer explicit, auditable update behavior (manual approval or signed releases).
If you want to proceed: require explicit disclosure of required binaries and auth, disable or review the auto-update cron, and audit the repository that will be pulled by voyage.update.Like a lobster shell, security has layers — review code before you run it.
latestvk97de6a5tkf2ypq56rbxcxr6kx83r27a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.