Skillv1.0.0

ClawScan security

Flight Price Comparison · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 8:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (browser-based flight price comparison) matches the code, but there are inconsistencies around how account credentials are provided and handled and the shipped script appears incomplete/buggy — review before use and avoid putting plaintext passwords into repo/config files.
Guidance: What to consider before installing: - The skill legitimately needs browser automation access to log in and scrape prices, but it instructs you to put account/passwords into TOOLS.md (plaintext). Do NOT store sensitive credentials in a repository or shared location. Prefer manual login or scan-to-login where possible. - The skill metadata does not declare any required config paths or credentials even though SKILL.md asks for TOOLS.md entries — that mismatch reduces transparency. Ask the maintainer to declare required config paths and explain exactly how credentials are read and protected. - The provided Python script uses the OpenClaw browser API (expected) but appears incomplete/truncated and may contain bugs (the main invocation in the provided file is cut off). Verify the full script before running and review the code path that would read credentials or autofill forms. - If you must use it: (1) run in an isolated environment, (2) avoid storing passwords in project files, (3) prefer ephemeral sessions or manual/cell-phone scan login, (4) monitor the first runs manually to confirm no unexpected network uploads occur. - If you enable autonomous invocation for convenience, be aware it can use any stored browser sessions/credentials without further prompts; only enable autonomy after you confirm secure handling of secrets and review of the full code.

Review Dimensions

Purpose & Capability: noteName/description, SKILL.md, and scripts/search_flights.py consistently describe browser automation against flight platforms (fliggy, ctrip). The dependency on an OpenClaw browser API is expected for this purpose. However, SKILL.md asks the user to place account/password info in TOOLS.md (local config) while the skill metadata does not declare any required config paths or credentials — this mismatch weakens transparency about where secrets are stored and how they are accessed.
Instruction Scope: concernSKILL.md explicitly instructs adding platform account credentials to TOOLS.md and says the script will auto-fill them. The included Python script uses the openclaw.browser API for automated page actions and snapshots (expected), but the visible code does not show any logic that reads TOOLS.md or other local credential storage (the file is truncated and the main flow appears incomplete/buggy). That discrepancy — instructions promising autofill/login vs. code not showing credential-loading — is an incoherence. The skill does not instruct sending credentials to external endpoints, but it does direct the agent to maintain browser sessions which will contain account state.
Install Mechanism: okNo install spec (instruction-only plus a script) — lowest install risk. The script depends on the OpenClaw runtime (import openclaw.browser), which is reasonable for an OpenClaw skill.
Credentials: concernSKILL.md requires users to put platform account passwords into TOOLS.md, but the skill metadata declares no required env vars or config paths. Requesting plaintext credentials (via guidance to edit TOOLS.md) is plausible for login automation, but it is not declared in the manifest, and there's no clear secure storage or handling described. This is disproportionate from a metadata/transparency perspective and increases risk if users follow instructions and store secrets in plaintext.
Persistence & Privilege: notealways:false (good). The skill can be invoked autonomously (platform default). Because the skill expects stored credentials and maintains browser sessions, autonomous invocation could use those stored credentials without prompting — this raises operational risk if you enable autonomous runs, but autonomy itself is normal for skills.