ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Flight Price Advisor

v1.0.0

Generate concise, user-friendly flight price summaries with buy/wait recommendations. Requires SerpAPI key for real-time price data. Use when users ask about...

0· 35·0 current·0 all-time
by@keyikoi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md explicitly requires a SerpAPI API key and refers to a local config file (price/config.json) and a price/data/ directory for historical data. The registry metadata, however, lists no required environment variables, no primary credential, and no required config paths. That omission is inconsistent: a flight-price advisor that fetches real-time prices legitimately needs an API key and some config path declarations.
Instruction Scope
Instructions are largely coherent for the stated purpose (compute stats, generate markdown summaries). They also instruct checking/reading local price data (price/data/) and editing price/config.json, and to restart a server after configuration. Those steps are within the feature set but grant the skill assumptions about filesystem access and server control that are not reflected in metadata and may be problematic in hosted/shared environments.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute — lower install risk. There are no URLs or archive installs that would add arbitrary code to disk.
!
Credentials
SKILL.md requires a SerpAPI key and instructs placing it into a local config file, but the registry does not declare any required credentials/env vars. Requesting an external API key is expected for this functionality, but the lack of declared credential requirements in metadata is a mismatch and prevents platform-level credential safeguards. Storing keys in an editable config file (price/config.json) also raises secrecy/privilege concerns if that file is shared or accessible to other tenants/processes.
Persistence & Privilege
The skill does not request 'always: true' and has no install-time persistence. It does instruct editing local config and restarting a server (which requires higher privileges), but the skill itself does not declare persistent/autonomous privileges beyond the platform defaults.
What to consider before installing
This skill appears to do what it says (generate flight price summaries) but the package metadata omits the SerpAPI credential and local config paths that the SKILL.md requires. Before installing or supplying secrets: 1) Ask the publisher for the missing metadata (required env vars/config paths) and for source/homepage to verify provenance. 2) Do not paste your SerpAPI key into shared or untrusted config files; prefer a per-project secret mechanism or platform-provided secret store. 3) If you must test, run it in an isolated environment and use simulated data first. 4) Confirm where price/config.json and price/data/ will live and who/what can read them (avoid storing keys in repo or world-readable files). 5) If the publisher cannot explain the metadata omission or provide source code/homepage, treat the skill as higher risk and avoid giving it real API keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk974eqf0cvwqaatdw6y4p0ahhd840391

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💰 Clawdis

Comments