Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
航班动态查询
v1.0.0酒店聚合助手,整合分贝通、携程、美团、同程、华住会、锦江等多个酒店数据源,提供统一的酒店搜索、房型查询、预订服务。Invoke when user wants to search hotels across multiple platforms or aggregate hotel data from vario...
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Multiple incoherences: top-level name/slug indicate a different capability (e.g., '航班动态查询' / 'flight-status-check') while SKILL.md and bundled Python files implement a hotel aggregator (fb-hotel-aggregation-skill). The skill claims integration with several commercial hotel platforms, but the code contains TODO stubs for those API calls and the skill does not request any API credentials or describe how to authenticate — inconsistent with the declared purpose.
Instruction Scope
SKILL.md explicitly requires calling each platform's APIs and forbids fabricating data, but provides no guidance about authentication, rate limits, or endpoints. The shipped Python modules contain placeholder _search_* functions (TODOs) rather than real API calls. Instructions therefore overpromise capabilities and give agents authority to contact external services without specifying how to do so safely.
Install Mechanism
No install spec (instruction-only) and required binary is python3, which matches included .py files. No remote downloads or archive extraction are present. Risk from install mechanism is low.
Credentials
The skill declares no required environment variables or credentials, yet its stated functionality (calling multiple commercial APIs for search/booking) would normally require API keys/secrets. Absence of declared auth is disproportionate and suggests either incomplete implementation or missing security documentation.
Persistence & Privilege
Skill does not request always:true, does not declare persistent system-wide changes, and contains no code that modifies other skills' configs. Autonomous invocation is allowed (platform default) but not combined here with other high-privilege requests.
What to consider before installing
This package appears internally inconsistent: the registry metadata/name/slug don't match the SKILL.md and code, and the code contains placeholder TODOs instead of implemented API calls. Before installing or enabling this skill, ask the publisher for: (1) a clear, consistent name/description and homepage/source; (2) an explanation of how it authenticates to each hotel platform (which env vars or secrets are required) and where credentials are stored; (3) a completed implementation or concrete API endpoint list and privacy/terms for booking; and (4) confirmation there are no hidden external endpoints. Do not provide real API keys or use it for production bookings until the authentication and network behavior are documented and you can review full implemented code. If you must test it, run it in an isolated/sandboxed environment and monitor outbound network traffic.Like a lobster shell, security has layers — review code before you run it.
latestvk97011bjs44nngy4f7rm27y58583xw1z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏨 Clawdis
Binspython3