ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cathay Pacific

v1.0.6

提供国泰航空航班搜索、预订、值机、升舱、里程查询和贵宾室信息等全方位服务。

0· 79·1 current·1 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's metadata and Chinese description advertise interactive capabilities (flight search, booking, check-in, upgrades, miles lookup, lounge info). However the only runtime artifact (SKILL.md) contains a static company overview and usage guidance; there are no instructions, APIs, binaries, or environment variables to perform bookings or check-ins. This is a clear mismatch between claimed capabilities and what is actually provided.
Instruction Scope
The SKILL.md is limited to presenting sections (brand history, business overview, market distribution, competition) and suggested uses; it does not instruct the agent to read local files, access environment variables, call external endpoints, or transmit data. From an execution-safety perspective the instructions are narrow and contained.
Install Mechanism
There is no install spec and no code files; this instruction-only skill writes nothing to disk and does not install packages. That is low-risk and consistent with the SKILL.md content.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. Given that the skill is informational, this is proportionate — but it also highlights that operational features advertised in the description are not implemented (they would normally require credentials or APIs).
Persistence & Privilege
The skill does not request always:true and is user-invocable only. There is no evidence it requests elevated or persistent privileges. Autonomous invocation is allowed by default but not combined here with other high-risk factors.
What to consider before installing
This skill appears misleading: its description promises interactive airline functions (searching, booking, check-in, managing upgrades/miles), but the actual runtime instructions only provide a static company overview and no integration or actionable steps. Installing it is low technical risk (no code, no credentials), but it will not perform bookings or check-ins. Before installing, consider: 1) If you need booking/check-in features, use the official Cathay Pacific app/website or a skill that documents API integration and required credentials. 2) Ask the publisher for provenance or a homepage (source is unknown). 3) Do not enter any personal or payment credentials into a skill that does not clearly implement secure, documented APIs. If you proceed, treat this as an informational reference only — not an operational tool.

Like a lobster shell, security has layers — review code before you run it.

latestvk9749y77h7mmw4t0kpdytapfr584x6wq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments