ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lyft

v1.0.1

提供Lyft叫车服务、行程查询、费用估算及预约,支持多车型和支付管理,覆盖美国主要城市。

0· 94·1 current·1 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill metadata and description advertise ride-hailing, fare estimates, bookings, and payment management (which would require Lyft API access, OAuth, and/or payment integration). The SKILL.md contains only static brand/background information and no instructions for calling Lyft APIs or handling payments. This is a clear mismatch between claimed purpose and actual capability.
Instruction Scope
The SKILL.md is limited to presenting brand/company information and when to use the skill. It does not instruct the agent to read unrelated files, access environment variables, or transmit data to external endpoints.
Install Mechanism
No install spec is present (instruction-only skill), so nothing will be written to disk or downloaded. This is low risk from an install perspective.
!
Credentials
The described features (booking, payment management) would normally require credentials or API tokens, but the skill declares no required environment variables or primary credential. Either the skill cannot perform the advertised functions, or it omits necessary credential requirements — both are red flags.
Persistence & Privilege
The skill is not marked always:true and has normal invocation settings. It does not request elevated or persistent system privileges.
What to consider before installing
This skill's description promises active Lyft features (booking, fare estimates, payments), but the provided SKILL.md only offers encyclopedia-style information and requests no credentials. Do not rely on it for making bookings or entering payment credentials. Before installing or enabling: ask the publisher for the source code or a homepage, confirm how bookings/payments would be implemented (OAuth flow, Lyft developer app, where payment data is handled), and require clear documentation of any API keys or redirects to official Lyft endpoints. If you need ride-booking functionality, prefer an official Lyft integration or a skill that documents the exact API usage and credential requirements. If the publisher cannot clarify these gaps, treat the skill as untrustworthy for transactions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cktte28pt62q8v6n0frhr1x84w3sb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments