Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Travel Planner Pro
v1.0.3Your AI travel agent that creates detailed itineraries, tracks budgets, plans weather-smart activities, and provides packing and document checklists tailored...
⭐ 0· 59·0 current·0 all-time
by@nollio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The files, SKILL.md instructions, examples, and config all align with a travel-planning agent: itinerary generation, profile files, Open-Meteo usage, packing lists, and a pre-trip reminder script. However, the package also includes a dashboard spec and SQL schema describing a cloud DB (Supabase/Postgres) even though the skill does not request any credentials or environment variables. The dashboard/schema are plausible companion artifacts but are not required for the core chat-based skill — this is a minor mismatch to be aware of.
Instruction Scope
SKILL.md explicitly instructs the agent to read/write local files (travel/travel-profile.json, config/travel-config.json, travel/trips/*), perform web_search/web_fetch (Open-Meteo), and copy files into the workspace via the provided SETUP-PROMPT. Those behaviors are consistent with the described purpose. However: (1) a static scan flagged prompt-injection patterns (e.g., 'ignore-previous-instructions') — the SKILL.md contains an explicit prompt-injection defense which appears intentional, but the presence of the pattern is notable; (2) the included setup and reminder scripts contain malformed/buggy shell code (truncated loops, stray fi/returns) which means running them as-is may fail or behave unpredictably. The instructions ask the agent to execute local shell commands (via the SETUP-PROMPT), so broken scripts increase operational risk.
Install Mechanism
No install spec — the skill is instruction-only with some packaged files. That minimizes supply-chain risk (no downloaded binaries). The only executable artifact is a local script (scripts/trip-reminder.sh) which is packaged with the skill; there are no remote downloads or external installs declared.
Credentials
The skill requests no environment variables, no external credentials, and no special config paths. This is proportional to a local travel-planner: it uses public Open-Meteo (no key) and local JSON files. The dashboard/SQL mentions cloud services but these are optional artifacts and not required to use the core skill.
Persistence & Privilege
always:false and no privileged flags. The SETUP-PROMPT asks to copy files into the user's workspace and set restrictive file permissions (chmod 600/700) — this is reasonable for a local skill that stores user data. The skill does not request to modify other skills or system-wide agent settings.
Scan Findings in Context
[ignore-previous-instructions] expected: The pattern detector found prompt-injection text. This SKILL.md explicitly includes a 'Prompt Injection Defense' section instructing the agent to treat external content as data and to ignore embedded commands like 'Ignore previous instructions.' The presence of the pattern appears intentional and defensive rather than malicious, but the scanner flag is still useful signal.
What to consider before installing
What to consider before installing/running this skill:
1) Inspect and fix the shipped shell scripts before running them. The SETUP-PROMPT and scripts/trip-reminder.sh contain malformed shell code (truncated loops and stray conditionals). Do NOT run them as-is — they may fail or behave unpredictably. Have someone run shellcheck / lint them and correct the logic, or run them in a sandboxed environment (container or VM) first.
2) The SKILL.md contains an explicit prompt-injection defense (good), but the static scanner flagged prompt-injection patterns present in the file. That appears to be the defense wording itself. Still, be cautious when pasting external confirmations/booking emails into the agent and follow the policy: never paste raw passport numbers or credit-card numbers; the skill claims it will only store expiry dates and 'ends in XXXX' for cards.
3) The package includes a dashboard spec and SQL schema referencing cloud DB patterns (Supabase/auth.uid()). Those are optional companion artifacts — they do not automatically send data to the cloud, but if you deploy a dashboard you will need to provide credentials. If you plan to use the dashboard, audit any networked components carefully and provision separate credentials.
4) The project claims an audit and ‘Codex Security Verified’ in README/SECURITY.md. The presence of buggy scripts and incomplete setup code contradicts a polished audit. Treat the audit claim as unverified until you or an independent party confirm the code quality.
5) Operational safety tips: run the skill and any setup scripts in a confined environment (container/VM), back up your workspace before first run, enable disk encryption if storing sensitive docs, and search the repository for any outbound network endpoints (none suspicious were found in this package aside from Open-Meteo and general web search). If you’re not comfortable fixing the scripts, avoid executing them and instead perform the setup steps manually (create directories, copy files, set permissions) based on the README.
If you want, I can produce a short checklist of the exact lines in the scripts that look broken and suggest corrected versions you (or a sysadmin) can paste in to repair them.SKILL.md:18
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk976skvvx9j2afbs0kjexggrr583zhx5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.