Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tour Compare
v1.0.0专业旅游线路对比分析,支持多平台商品链接和截图,提供价格、行程、评分等多维度智能对比与个性化推荐。
⭐ 0· 66·0 current·0 all-time
byLiang@liangnex
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (旅游线路对比) matches the included code: crawler (ota-crawler.js), OCR (image-recognizer.js), analyzer and exporter. The declared capabilities (URL fetch, screenshot OCR, JSON input, PNG export) align with the code files and package.json optional deps (puppeteer, tesseract.js, canvas). No unrelated credentials or bizarre binaries are requested.
Instruction Scope
SKILL.md and docs instruct the agent to fetch arbitrary OTA product URLs, OCR user-provided screenshots, write HTML/PNG reports to file:///Users/zihui/.openclaw/workspace/..., and run local CLI scripts. The packaged scripts (compare.sh, demo.sh) will run node src/index.js and demo.sh uses read -p /dev/tty which can block automated runs. The SKILL.md also contains unicode control chars (prompt-injection signal). Overall the instructions go beyond purely stateless text processing (they instruct network fetches, filesystem writes, and local installs) — reasonable for this tool but should be executed with care and explicit consent.
Install Mechanism
There is no declared install spec in the registry metadata, but package.json and scripts expect npm installs. compare.sh will auto-run npm install if node_modules is missing, which causes dependencies (optional deps include puppeteer and canvas) to be fetched at runtime. Puppeteer will fetch Chromium (large binary) and canvas may require system libraries. package-lock references a non-standard registry mirror (registry.anpm.alibaba-inc.com) in some entries, increasing supply-chain observation risk. No direct arbitrary remote archive downloads were found, but implicit npm installs and Chromium downloads are a non-trivial runtime action.
Credentials
The skill requests no environment variables, no credentials, and no config paths in the registry metadata. The code and docs do not require API keys or other secrets. That is proportionate for a web-scraping/OCR/comparison tool. (Caveat: running npx clawhub publish examples or npx clawhub login noted in docs would require user tokens — these are optional publishing steps, not core to the skill's function.)
Persistence & Privilege
The skill is not 'always: true' and does not request elevated privileges. However it will write local report files (examples show a user-local file:// path) and the packaged demo/CLI will run npm install and write to the workspace. Autonomous invocation is allowed (default), which combined with the earlier concerns (auto-installs and prompt-injection markers) increases blast radius — consider requiring explicit user approval before running network installs or the crawler.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md contains unicode control characters flagged by the scanner. These can be used to hide or alter visible text (prompt-injection technique). This is not necessary for a travel comparison document and is suspicious — it could be accidental formatting or an attempt to obscure embedded instructions. Inspect SKILL.md raw bytes before trusting automated execution.
What to consider before installing
What to consider before installing or running this skill:
- The code and docs match the described purpose (URL scraping, OCR, analysis), but the package will try to install node dependencies at runtime (compare.sh auto-runs npm install). Puppeteer (optional) will download Chromium; canvas/tesseract.js have native or large-assets requirements. If you run this on your machine, expect big downloads and possible native build steps.
- SKILL.md contains unicode control characters (a prompt-injection signal). Treat this as suspicious: view the raw SKILL.md (hex/visible control-char safe viewer) and confirm there are no hidden instructions or data before running automated processes.
- package-lock entries reference a non-standard registry mirror (registry.anpm.alibaba-inc.com). Prefer installing only from official registries or inspect package-lock and network traffic. Consider running npm install with a lockfile you trust or in a sandbox.
- Do not run the demo script or compare.sh in an environment with sensitive data or unattended automation. demo.sh uses read -p and /dev/tty (interactive) which can hang or behave unexpectedly in non-interactive agents. compare.sh will install deps automatically — to avoid unexpected installs, run npm install manually after reviewing package.json and package-lock.
- Run in an isolated sandbox (VM/container) or code-audit first: search for network endpoints, hard-coded URLs, exfiltration logic, or unexpected child_process.exec usage. Pay attention to any code that posts data to remote endpoints or runs arbitrary shell commands.
- If you only need the comparison logic without crawling, use JSON-mode inputs (no network fetch) and avoid enabling puppeteer/optional deps. Consider disabling autonomous execution of the skill in your agent unless you reviewed/approved its behavior.
- If you want to proceed, recommended steps: inspect SKILL.md raw, review src/crawler/ota-crawler.js and src/crawler/image-recognizer.js for any outbound endpoints, run npm install with a trusted registry and verify packages, and execute in a sandboxed environment.Like a lobster shell, security has layers — review code before you run it.
latestvk976ptmmek730155an3vkwyse58413pp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.