ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Transit Risk Assessment & Delay Hotel Recommendations & Last-Mile Transport Check

v1.0.2

旅行交通风险检查助手,提供转机风险评估、延误酒店推荐、最后一公里交通检查三大核心功能

0· 33·0 current·0 all-time
by@mlyjqx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name, description, and SKILL.md all align on transit risk, delay-hotel recommendations, and last-mile checks. However, the SKILL.md requires integration with three MCP servers (travel-data, hotel-booking, city-transport) and their API keys (TRAVEL_API_KEY, HOTEL_API_KEY, TRANSPORT_API_KEY) even though the registry metadata lists no required environment variables or primary credential. That undeclared credential requirement is inconsistent with the published skill metadata.
!
Instruction Scope
Runtime instructions reference $ARGUMENTS, $ORDER_DATA, $USER_LOCATION and call specific MCP methods (e.g., travel-data.get_order, hotel-booking.search_hotels). They also describe push notifications, SMS/email delivery, and automatic triggers. Those output channels and the data access (order data, flight status, user location) imply access to sensitive user data and communication channels, but the skill does not declare the credentials or permissions needed for those actions. The instructions also tell the agent to run npx commands to launch MCP servers at runtime, which will download and execute remote packages.
!
Install Mechanism
There is no formal install spec, but the SKILL.md requires launching MCP servers via npx (npx -y @travel/mcp-server, etc.). That means code will be pulled from npm (or the package's configured registry) at runtime and executed. Runtime npx installs are a moderate-to-high risk because arbitrary code is fetched and executed without an explicit install policy or pinned, audited artifact. package.json includes publishConfig that points to an internal registry (https://contextlab.alibaba-inc.com/skill), which raises additional questions about package provenance.
!
Credentials
The SKILL.md references TRAVEL_API_KEY, HOTEL_API_KEY, and TRANSPORT_API_KEY as environment variables for MCP servers, but the skill metadata declares no required env vars. Other necessary credentials for push notifications, SMS/email gateways, or accessing user orders are not declared either. Requesting multiple external API keys is reasonable for this functionality, but the absence of declared env vars and no explanation of required key scopes or minimal privileges is a mismatch and a potential risk for accidental over-permissioning or secret leakage.
Persistence & Privilege
always:false and disable-model-invocation:false (default) — the skill is not force-included and can be invoked autonomously like normal skills. The skill does not declare actions that modify other skills or global agent configuration. No install-time persistence is declared. Still, runtime npx execution could introduce code that persists or exfiltrates data if the fetched packages are malicious; that risk ties back to the install_mechanism concern above.
What to consider before installing
This skill's functionality (transfer risk, hotel recommendations, last-mile checks) is coherent, but there are important mismatches and runtime risks you should resolve before installing: 1) Confirm exactly which environment variables and API keys are required (SKILL.md references TRAVEL_API_KEY, HOTEL_API_KEY, TRANSPORT_API_KEY) and ensure they are declared and limited in scope. 2) Ask the publisher for the source, checksum, and trust model for the MCP packages (@travel/mcp-server, @hotel/mcp-server, @city-transport/mcp-server). Running npx at runtime will fetch and execute remote code—only allow this if the packages are audited/trusted. 3) Verify where push notifications, SMS/email, and order data access will be sent/received and what credentials those integrations require; avoid providing high-privilege keys (e.g., broad cloud admin keys). 4) If you must test, run the skill in a restricted sandbox with network and secret access limited, monitor outbound network calls, and avoid reusing production credentials. 5) Prefer a version-pinned, audited install artifact or a manifest that explicitly lists required env vars/permissions; if the publisher cannot provide that, treat the skill as higher-risk and consider not installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972t5fx353eh1cw70mf6bsk2x841tvw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments