Back to skill
Skillv1.0.3
VirusTotal security
途牛酒店预订技能 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:50 AM
- Hash
- 2cfbf75979ba6ee59e98eb335cf60101f29be1897cd4726b4c40c1c5e73ba483
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tuniu-hotel Version: 1.0.3 The skill is classified as suspicious due to its explicit reliance on `shell exec` to run `curl` commands, as stated in `SKILL.md`. While the `curl` commands themselves are designed for legitimate API interaction with `https://openapi.tuniu.cn/mcp/hotel`, the use of `shell exec` is a powerful primitive that introduces a significant risk of shell injection if user inputs are not perfectly sanitized by the agent or if the underlying execution environment is compromised. Additionally, the `TUNIU_MCP_URL` can be overridden via an environment variable, which could allow an attacker to redirect API calls (including the `TUNIU_API_KEY` and user PII) to a malicious server if the environment is compromised. These are vulnerabilities and risky capabilities, not clear evidence of intentional malicious behavior within the skill itself.
- External report
- View on VirusTotal