ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

智慧旅行预订

v1.0.0

酒店聚合助手,整合分贝通、携程、美团、同程、华住会、锦江等多个酒店数据源,提供统一的酒店搜索、房型查询、预订服务。Invoke when user wants to search hotels across multiple platforms or aggregate hotel data from vario...

0· 67·0 current·0 all-time
by赵瑞宇@ryan-zry
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description promise multi-platform hotel aggregation (携程、美团、分贝通等). However, the bundle requests no API keys, credentials, or config paths that would normally be required to call those commercial APIs. The included code defines base_url entries for each provider and TODO stubs for API calls, indicating it is not a finished integration. That mismatch (promised multi-platform live API access vs no declared secrets or integration instructions) is a significant coherence issue.
!
Instruction Scope
SKILL.md explicitly requires calling each platform's API and forbids fabricating data, but it gives no guidance for authentication, rate limiting, or how to obtain API credentials. The SKILL.md also includes a 'required: true' field in metadata that conflicts with the registry flags (registry shows always:false). The runtime instructions do not ask the agent to read unrelated local files, but the requirement to call external APIs without specifying auth or acceptable endpoints leaves broad, vague agent discretion.
Install Mechanism
There is no install spec (lowest install risk). However, the code is Python and uses the third-party 'requests' library but the skill only declares 'python3' as a required binary — it does not declare Python package dependencies (e.g., requests). That omission means attempting to run the code could fail or lead integrators to install dependencies ad-hoc. The code files themselves include network calls (base_url values) which will attempt outbound requests if implemented.
!
Credentials
No environment variables or credentials are declared, yet the skill's purpose (calling commercial hotel APIs) normally requires API keys, client secrets, or other auth. The code currently contains placeholder search functions (TODOs) and will need platform-specific auth to be functional. The lack of declared credentials or a clear plan for secure secret handling is disproportionate to the stated integration needs.
Persistence & Privilege
The skill is not configured as always:true and does not request any agent-wide persistent privileges. It does not attempt to modify other skills or agent config in the provided files. Autonomous invocation is enabled by default but is not combined with other high-risk privileges here.
What to consider before installing
This skill is incomplete and inconsistent: it promises live multi-platform aggregation but doesn't declare the API credentials or Python dependencies it would need. Before installing, ask the provider for: (1) a clear list of required API keys/tokens and how they are used/stored; (2) a dependency/install spec (pip packages, versions) so you can run it safely; (3) evidence of working integrations (or tests) for each data source. Avoid running it with broad network access or on sensitive systems until you confirm where credentials are supplied and how outbound requests are limited; consider running it in a sandbox or review/complete the TODO API implementations yourself or with a trusted developer.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cvrztars3yb1za36kx9t5cs83xzrv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏨 Clawdis
Binspython3

Comments