Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Paradiz
v1.0.0Отвечать клиентам в VK по стоимости отдыха на основе Excel-прайса. Использовать, когда нужно быстро посчитать цену по датам, количеству гостей и номеру, и вы...
⭐ 0· 360·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (VK replies and price calculation) align with included scripts: calc_quote, holds management, saving bookings, and syncing prices to a local DB. File operations and DB updates are proportional to a booking/quote skill.
Instruction Scope
SKILL.md instructs the agent to run local scripts to compute quotes, check availability, create holds, save bookings and send short VK replies — that matches the scripts. However the runtime behavior includes sending PII (guest name, phone, email, dates, room, amount) to Telegram as a notification, which is an external transmission of customer data and should be explicitly approved by an operator/owner.
Install Mechanism
No install spec (instruction-only skill) and all code is included in the bundle. Nothing is downloaded from external URLs or executed during install; risk from install mechanism is low.
Credentials
Registry metadata lists no required env vars, but scripts attempt to obtain Telegram credentials by reading /home/openclaw/.openclaw/openclaw.json (looking for PARADIZ_TG_BOT_TOKEN or a global channels.telegram.botToken). This access to a global agent config is not declared and broadens the skill's reach beyond its stated requirements. The skill will therefore act using credentials found in that file unless otherwise provided — the expected PARADIZ_TG_BOT_TOKEN and PARADIZ_TG_CHAT_ID are not declared in requires.env.
Persistence & Privilege
Skill is not forced-always; it does not claim to modify other skills or system-wide settings. It writes booking/holds files and updates DBs inside its workspace, and backs up test DB; these are consistent with its purpose.
What to consider before installing
This skill appears to implement quoting, holds, and booking saving as described, but review these points before installing:
- Telegram notifications: the scripts will send guest PII (name, phone, email, dates, room, amount) to a Telegram chat. Confirm you want that and verify which chat ID/bot will be used.
- Undeclared credential access: the code reads /home/openclaw/.openclaw/openclaw.json to find a PARADIZ_TG_BOT_TOKEN or a global Telegram bot token. The skill registry lists no required env vars — ask the author to declare PARADIZ_TG_BOT_TOKEN and PARADIZ_TG_CHAT_ID (or document reliance on the global config) so you can control which credentials it uses.
- Data residency: the skill writes bookings and holds to files and may update SQLite DBs under the workspace; ensure those paths are acceptable and that backups are handled appropriately.
- Privacy & compliance: because customer personal data is stored and transmitted, confirm you have consent/policies in place and that the Telegram destination is trusted.
If you cannot verify the Telegram config or do not want PII sent to an external chat, do not enable notifications or run the save_booking.py with --notify, and request the author to make credential usage explicit.Like a lobster shell, security has layers — review code before you run it.
latestvk9703yc09zx7tcbvvnf63023ms81whzw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.