Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Zim
v0.1.3Agent travel middleware for searching flights, hotels, and car rentals, assembling policy-aware itineraries, managing traveler preferences/policy, and prepar...
⭐ 0· 76·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The files (Python package, CLI, shell helpers) implement travel search, itinerary assembly, policy logic, and Stripe Checkout as described in SKILL.md. However the registry metadata claims no required environment variables or binaries while SKILL.md and the code clearly require TRAVELPAYOUTS_TOKEN, TRAVELPAYOUTS_MARKER and Stripe secrets; pyproject version (0.1.1) and registry version (0.1.3) also differ. The core capability is coherent, but the published metadata omits important runtime requirements.
Instruction Scope
Runtime instructions and scripts expect and use sensitive environment variables (Travelpayouts token/marker, Stripe secret/webhook secret) and persist conversation state to a local SQLite DB (data/whatsapp_state.db). The OpenClaw wrapper (scripts/zim-wa.sh and SETUP.md) sets default/hardcoded TRAVELPAYOUTS_TOKEN and TRAVELPAYOUTS_MARKER values; the wrapper is designed to be exec'd by the agent and to create symlinks in ~/.openclaw — these behaviors expand scope (writes to disk, auto-default credentials) beyond a simple read-only helper and should be reviewed.
Install Mechanism
No install specification is present in the skill registry (instruction-only), but the bundle includes a full Python package (pyproject.toml) and scripts that assume you will install dependencies (pip from pyproject). There are no remote download URLs or extract steps in the install, so install risk from external downloads is low — but the lack of an install spec is an operational mismatch you should handle (create a virtualenv and pip install . or add an explicit install step).
Credentials
The environment and credentials requested in SKILL.md (TRAVELPAYOUTS_TOKEN, TRAVELPAYOUTS_MARKER, STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET) are appropriate for a travel + payment middleware. However the registry metadata declares no required env vars (incoherent), and the bundle contains hardcoded affiliate/token defaults (TRAVELPAYOUTS_TOKEN and TRAVELPAYOUTS_MARKER) in scripts/zim-wa.sh and SETUP.md — embedding or defaulting to an affiliate token in code is questionable (it attributes clicks to the hardcoded marker and may expose a token). Require only the credentials you need, and avoid baking tokens into distributed scripts.
Persistence & Privilege
The skill persistently stores conversation state in a local SQLite DB under the skill directory (data/whatsapp_state.db) and suggests symlinking into ~/.openclaw for discovery. It does not request 'always:true', does not modify other skills, and does not appear to escalate privileges. Persisting conversation history and creating a symlink are expected for a WhatsApp handler but are worth noting because they create local state that may contain sensitive user messages.
Scan Findings in Context
[hardcoded-travelpayouts-token-in-script] unexpected: scripts/zim-wa.sh and SETUP.md include a hardcoded TRAVELPAYOUTS_TOKEN value ('9d4c4a6e4e7293f88aa000c8014074ba') used as a default. Tokens should be supplied by the operator; embedding a token causes attribution to the packaged token and may leak credentials or attribute affiliate commissions to the package author.
[hardcoded-travelpayouts-marker-in-script] unexpected: scripts/zim-wa.sh and SETUP.md set a default TRAVELPAYOUTS_MARKER ('714990'). Hardcoded affiliate markers are not necessary for the skill to function and may improperly attribute clicks or expose operational defaults.
[metadata-mismatch-required-envs] unexpected: Registry metadata lists no required environment variables or primary credential, but SKILL.md and the code require TRAVELPAYOUTS_TOKEN/MARKER and Stripe secrets. This mismatch is an integrity issue: the runtime will fail or behave insecurely if envs are not provided and the registry doesn't declare them.
[no-install-spec-with-pyproject] expected: The bundle includes pyproject.toml with dependencies and a CLI entry point, but the skill record included no install spec. It's reasonable for a code-heavy skill to require installation steps; the risk is operational (user may not install dependencies) rather than malicious.
What to consider before installing
This package appears to implement the travel middleware it advertises, but several things don't add up and you should address them before installing:
- Do not rely on the hardcoded TRAVELPAYOUTS_TOKEN/TRAVELPAYOUTS_MARKER defaults in scripts/zim-wa.sh or SETUP.md. Replace or remove them and supply your own token/marker. If you or your org ever used the hardcoded token, rotate it.
- SKILL.md requires sensitive env vars (TRAVELPAYOUTS_TOKEN, TRAVELPAYOUTS_MARKER, STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET) but the published metadata omitted them. Only set STRIPE_SECRET_KEY/STRIPE_WEBHOOK_SECRET in a secure environment (use test keys first; do not paste production keys anywhere until you verify payment flow).
- Installation: this bundle includes pyproject.toml but no install spec. Install in an isolated virtualenv (python3 -m venv .venv; .venv/bin/pip install .) and review dependencies before running.
- Persistence: the WhatsApp bridge persists conversation state to data/whatsapp_state.db under the project directory and the SETUP.md suggests symlinking into ~/.openclaw. Decide whether you accept local state storage and do not symlink into shared system paths unless you trust the code and want the integration.
- Audit the code: search for any other hardcoded secrets, outgoing network endpoints, or telemetry. Run tests locally in a sandbox, and consider running the CLI with dummy tokens first.
Given the incoherences (missing registry env metadata, hardcoded affiliate token defaults, missing install spec) I recommend remediating those issues or running the package in a tightly controlled sandbox before enabling it in production.Like a lobster shell, security has layers — review code before you run it.
latestvk97eqepgq86kf265xeja834tq184vng5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.