Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
用空位“雷达”替你抢旅游目的地的米其林/热门餐厅
v1.0.0旅行目的地米其林与热门餐厅空位监控、自动预约与定金提醒助手。 收集用户旅行日期、目的城市、人数与用餐偏好后,自动匹配米其林/热门餐厅清单, 持续监控空位并尝试自动预约,需要定金或确认时通过短信/Push 通知用户。 当用户提到"餐厅预约""米其林订位""旅行餐厅""热门餐厅预定""自动订餐厅""抢位" "餐厅空位...
⭐ 0· 67·0 current·0 all-time
by@lmercy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description match the instructions (monitoring candidate restaurants and trying to book them). However, the SKILL.md expects outbound notifications (SMS/Push/IM), automated account interactions (registration, verification) and browser/API automation against many third-party booking platforms, yet the skill declares no required credentials, no notification provider, and no install/runtime bits to perform those actions. That gap (describing capabilities that require third-party credentials/infrastructure but not requesting/providing them) is an incoherence.
Instruction Scope
Instructions explicitly describe actions that involve sensitive data and system access: using user phone numbers and emails for identity verification, potentially receiving or 'auto-reading' SMS verification codes (the reference says codes can be 'manually provided or auto-read'), filling credit-card preauthorization fields after explicit consent, and using browser automation to poll websites. The SKILL.md does not limit or specify how SMS/Push messages are sent/received, nor does it clearly constrain what gets persisted or what channels are used to transmit verification codes — this broad scope increases privacy risk and is underspecified.
Install Mechanism
This is an instruction-only skill with no install spec or code files. That minimizes on-disk risk; the evaluator found no downloads or install steps. This is low-installation risk but means the instructions alone determine runtime behavior.
Credentials
The skill will handle sensitive user data (phone numbers, emails, possibly credit-card details and platform credentials) but declares no required environment variables or external service credentials (e.g., SMS gateway API keys, Twilio, SendGrid, or platform API tokens). Expectation that notifications and automated bookings occur without specifying how or where credentials are provided is disproportionate. The SKILL.md also suggests the agent might 'auto-read' SMS verification codes — that requires platform-level access not described here.
Persistence & Privilege
The skill does not request always-on status, does not declare system config writes, and explicitly states a non-persistence policy for sensitive fields (phone/SMS/credit-card). As an instruction-only skill it has no built-in permanent presence. That said, the policy statements are asserted in prose and lack technical enforcement details.
What to consider before installing
This skill's goal (monitoring and attempting restaurant bookings) is reasonable, but before installing or using it you should ask the developer to clarify a few concrete details: 1) How will outbound notifications be sent? (Which SMS/Push/IM provider will be used? Will the skill require you to supply API keys such as Twilio/SendGrid/Push service tokens?) 2) How are verification codes handled in practice? (If the skill 'auto-reads' or requests forwarding of SMS codes, what channel is used and is that channel secure? Will the skill ever ask you to paste OTPs into the chat?) 3) How are payment/credit-card details handled and transmitted? (Prefer never to type full card numbers into chat — require a secure payment flow or redirect to the restaurant/payment provider.) 4) Will the agent need your accounts or passwords for booking platforms, and if so, how will those credentials be stored/used/rotated? 5) Request a data-flow diagram and a retention policy: what is logged, for how long, and where are logs stored/encrypted? 6) Confirm who pays for SMS costs and whether two-way SMS commands can trigger charges. If the developer cannot clearly list the external services used and how credentials are handled, treat the integration as risky. As a safety measure, avoid providing full credit-card or account passwords in chat; prefer manual confirmation flows for payments and OTPs, and only provide minimal personal contact info required for a given booking.Like a lobster shell, security has layers — review code before you run it.
latestvk978zgtpaz7cttx9mawczfw7hn8408k4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.