ClawHub

Tenerife

v1.0.0

Navigate Tenerife as visitor, resident, digital nomad, or retiree with zones, transport, costs, residency, and local insights.

0· 381·0 current·0 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and the included markdown files all align: the skill is a static Tenerife travel/residency/nomad guide. It requests no binaries, env vars, or installs that would be unrelated to its purpose.
!
Instruction Scope
SKILL.md instructs the agent to 'load relevant auxiliary file for details' and to provide 'current data'; otherwise it contains no commands or file reads outside the skill bundle. However the SKILL.md triggered a regex finding for unicode-control-chars (prompt-injection signal) — this could be an attempt to manipulate the agent's runtime behavior or evaluation. The instructions themselves are otherwise narrowly scoped to travel guidance.
Install Mechanism
No install spec and no code files; the skill is instruction-only, so it doesn't write code to disk or fetch external binaries.
Credentials
The skill declares no required environment variables, credentials, or config paths — the requested access is minimal and appropriate for a static guide.
Persistence & Privilege
always:false and no special privileges requested. Autonomous invocation (disable-model-invocation:false) is the platform default; nothing else in the package requests persistent or cross-skill configuration changes.
Scan Findings in Context
[unicode-control-chars] unexpected: The skill is a static markdown travel guide, so presence of unicode control characters is unexpected and flagged as a potential prompt-injection vector. This does not necessarily mean maliciousness, but it warrants manual inspection of SKILL.md to locate and remove hidden characters.
What to consider before installing
What to consider before installing: - The skill appears to be a harmless, self-contained travel guide (no installs, no credentials), but an automated scan found unicode control characters in SKILL.md — these are a known technique to hide or alter prompts and could cause an agent to behave unexpectedly. - If you plan to enable the skill, inspect SKILL.md (and related markdown files) in a text editor that can reveal hidden/control characters (show invisibles) and remove any suspicious characters. - Prefer to keep this skill user-invocable (not always-enabled) and avoid granting it network access or elevated privileges until you've validated the files. - Do not enter secrets or credentials when interacting with the skill; none are required. - If you want higher assurance, ask the publisher for a checksum or a source repository, or request a cleaned copy of SKILL.md with control characters removed. Additional information that would change this assessment: a benign explanation for the control characters (e.g., intentional emoji or formatting metadata) or a publisher/source repository verifying the files' integrity — either would raise confidence to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk971h6q1zq07vry4z7s2j22ywn81p9hp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌋 Clawdis
OSLinux · macOS · Windows

Comments