Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Alaska Air
v1.0.0Scrape Alaska Airlines award calendar and flight data to check miles, award availability, and prices for single-leg trips on alaskaair.com.
⭐ 0· 71·0 current·0 all-time
by@iskwang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The core scraping steps (curl the calendar endpoint, parse HTML with Python) are coherent with the skill's purpose. However, the SKILL.md mandates spawning separate sub-agents using a specific external model (openrouter/anthropic/claude-...) for parallel queries; parallelism could be implemented locally and does not inherently require external models. The requirement to spawn a named external model is disproportionate and unexplained.
Instruction Scope
Instructions tell the agent to write files under /tmp, run curl and python3 (consistent), and—critically—to immediately send each sub-agent's results via the 'message' tool to a Telegram chat_id. Mandating immediate, independent sends and forcing a specific message format increases the chance of unexpected data exfiltration or spam. The spawn template grants broad autonomy to sub-agents (exec, read, message).
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes install-time risk (nothing will be downloaded or written except temporary /tmp files during runtime).
Credentials
The skill declares no required environment variables or credentials, yet instructs spawning an OpenRouter/Anthropic model (which would normally require API keys) and sending Telegram messages (which often requires a bot token or platform messaging capability). The lack of declared credentials or explanation for how the 'message' tool is authorized is an inconsistency.
Persistence & Privilege
The skill does not request always:true or any system-wide persistence. It writes temporary files under /tmp and uses allowed tools; these behaviors are expected for a scraper. The mandatory spawning of autonomous sub-agents increases runtime reach but is not itself a privilege flag—it's an operational risk when combined with the other inconsistencies.
What to consider before installing
What to consider before installing: 1) The scraping logic (curl + local Python parsing) is reasonable for this purpose, but the skill also requires spawning parallel sub-agents that target a named external model provider and to immediately send results via the platform 'message' tool. Ask the author why external models are required for parallelism and how the platform will supply any needed API keys—no credentials are declared in the skill metadata. 2) Verify how the agent's 'message' tool is authorized: who provides the Telegram bot token and who can supply chat_id values? Ensure chat_id is supplied at call time and not hardcoded. 3) Expect runtime network activity beyond Alaskaair (calls to external model endpoints and the messaging endpoint); if you want tighter control, request removal of the mandatory sub-agent spawn behavior and require explicit user approval before sending messages. 4) Test in a controlled environment (rate-limited) to avoid accidental mass requests and review Alaskaair's Terms of Service regarding scraping. 5) If you need a safer install, ask the maintainer to remove the model spawn template or make external model usage optional and to declare any required API keys in the skill metadata so you can review and control them.Like a lobster shell, security has layers — review code before you run it.
latestvk97ef259bbbtjrptjq4xz095dh83dtx3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.