Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
dive trip planner
v1.0.0智能潜水旅行规划助手。分析用户出发地、时间、目的地、预算、潜水证等级、想看的海洋生物等条件,确定优先级,通过 flyai 查询机票、酒店、潜店,输出包含地图和多媒体的结构化报告。使用场景:用户说"帮我找个潜水店"、"推荐巴厘岛的潜水店"、"规划潜水旅行"等。
⭐ 0· 55·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and runtime instructions consistently describe a dive-trip planner that queries flights/hotels/dive-shops and builds reports. However, the SKILL.md repeatedly instructs the agent to use an external service called "flyai" for realtime queries but the skill metadata declares no required environment variables, API keys, or tool dependency for flyai. That mismatch may be benign if the platform already provides a flyai tool, but it's an unexplained dependency given the package has unknown source and no homepage.
Instruction Scope
Instructions are conversational and scoped to collecting user travel preferences and querying flyai. They do not instruct reading local files, environment variables, or other system state. They do direct the agent to include external booking links (jumpUrl/detailUrl) and to return maps/media, but they don't explicitly address handling of sensitive personal data (passport numbers, payment info) or verification of external links.
Install Mechanism
No install spec and no code files (instruction-only). This is lower risk because nothing is written to disk by the skill itself.
Credentials
The skill declares no required environment variables or credentials, yet the runtime relies on querying 'flyai' and embedding booking URLs. If flyai requires an API key or account, that credential is not declared here. Also the skill will surface external booking links (potentially affiliate or third-party payment endpoints); presence and handling of any service credentials or tracking IDs are not described.
Persistence & Privilege
always:false and no install hooks or config writes are present. The skill does not request persistent system privileges or modify other skills; autonomous invocation is allowed by platform default (no additional concern unless combined with other red flags).
What to consider before installing
This skill appears to be what it says (a dive-trip planner) but has an unexplained dependency on a service called "flyai" and no declared credentials or source URL. Before installing: 1) Ask the publisher or platform whether a "flyai" tool is provided and whether it requires an API key (and how that key is stored/used). 2) Confirm where booking links (jumpUrl/detailUrl) will direct users and whether they include affiliate/tracking parameters. 3) Avoid sending sensitive personal data (passport numbers, payment card details) to the skill; clarify whether the agent will handle bookings/payment or only provide links. 4) Prefer skills with a known source/homepage or clear documentation about external services and credential handling. If you cannot verify the flyai dependency or provenance, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk972zv59tcnty6b7ggdbtn4x7d843web
License
MIT-0
Free to use, modify, and redistribute. No attribution required.