ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

QG Car

v0.1.0

Use when the user wants help with Qiguan campus bus tickets using the local qg CLI, including listing schedules, choosing Zhuhai/South/East campus routes, ge...

0· 64·0 current·0 all-time
by@qybaihe
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description ask for querying Qiguan bus schedules and creating WeChat order-entry links; the code implements a CLI that posts to a ticketing API (https://ebk.17u.cn/cxyopenapi) and builds links pointing at https://trans.17u.cn, which is consistent with the stated purpose. The skill writes a small cache to ~/.qiguan-cli to support the 'list → link' flow; no unrelated cloud credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to run the local qg CLI (qg list, qg link) and explicitly forbids auto-submitting passenger info or triggering payment. The runtime instructions and reference docs only reference the CLI, local cache file, and the upstream ticketing endpoints; they do not ask the agent to read unrelated files or exfiltrate environment variables.
!
Install Mechanism
The repository includes an install.sh and the README shows a curl -fsSL https://raw.githubusercontent.com/.../install.sh | bash one-liner. While the included script itself clones the GitHub repo or uses npm and then installs the CLI, curl|bash is a higher-risk installation pattern because it executes remote code without manual review. If installed via npm from the official package registry or by reviewing the install script first, risk is reduced.
Credentials
The skill declares no required environment variables or credentials. The code does access the user's home directory to store a small cache (~/.qiguan-cli/last-list.json), which is proportionate to its functionality. Network access to the ticketing API is necessary and expected.
Persistence & Privilege
The skill does not request permanent/always-on inclusion and does not modify other skills or system-wide configuration. The install script copies the skill into per-user skill directories (~/.codex, ~/.openclaw) and installs a global npm CLI when requested; that is typical for CLI + skill packages and limited in scope.
Assessment
This package appears to do what it says: query schedules and build WeChat order-entry links. Before installing, prefer safer install paths: (1) install the npm package from the registry (npm install -g qg-skill) rather than piping a remote script into bash; (2) if you must run the install script, review install.sh locally first to confirm it does only the expected git/npm/copy operations; (3) note the CLI will write a cache file to ~/.qiguan-cli/last-list.json and will make network requests to the ticketing API (https://ebk.17u.cn) and build links to https://trans.17u.cn — that network activity is required for its purpose but be aware it contacts external services; (4) avoid storing passenger PII in the CLI as recommended by the README; and (5) if you need higher assurance, review the upstream GitHub repository and published npm package contents and signatures before installing. If you want me to, I can fetch and summarize the install.sh or point to lines in the code that perform network, filesystem, and clipboard operations.
dist/cli.js:237
Shell command execution detected (child_process).
src/cli.ts:298
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760a4jqr6q87hfar7e85kb2984dzr7
64downloads
0stars
1versions
Updated 1w ago
v0.1.0
MIT-0
@qybaihe
latest
Download

QG Car

Use the local qg CLI to help the user query Qiguan campus bus schedules and generate WeChat BusOrderWrite order-entry links.

Core Workflow

  1. List available schedules first unless the user already provides a valid list code:
qg list --today --available
  1. Narrow the list with the user's route, date, and Zhuhai station:
qg list --start zhuhai --to south --station zhuhai --today --available
qg list --start zhuhai --to east --station boya --tomorrow --available
qg list --start south --to zhuhai --date 2026-04-10 --available
  1. Prefer the Code column from the latest list result when generating the link:
qg link 1
qg link 1 --copy
  1. If no list code is available, generate by exact route and time:
qg link --start zhuhai --to south --station zhuhai --time 16:00
  1. Return the generated WeChat link and tell the user to open it in WeChat to complete passenger selection, order confirmation, and payment.

Do not call hidden order-save or payment APIs directly. The safe boundary for this skill is schedule lookup plus WeChat order-entry link generation.

Route Mapping

Campus keys:

zhuhai = Zhuhai campus side
south  = South Campus
east   = East Campus

Zhuhai station keys:

zhuhai = 珠海中大岐关服务点
boya   = 博雅苑
fifth  = 中大五院正门

Default route behavior:

qg list                       -> zhuhai to south, today
qg --start zhuhai             -> zhuhai to south, today
qg list --start south         -> south to zhuhai, today
qg list --start east          -> east to zhuhai, today
qg list --start zhuhai --all  -> zhuhai to both south and east

Use one side as zhuhai; direct south to east routes are not supported by this CLI.

User Intent Handling

If the user says "珠海去南校区", use:

qg list --start zhuhai --to south --available

If the user says "南校区回珠海", use:

qg list --start south --to zhuhai --available

If the user says "珠海去东校区", use:

qg list --start zhuhai --to east --available

If the user says "东校区回珠海", use:

qg list --start east --to zhuhai --available

If the user specifies "博雅苑" or "中大五院", add --station boya or --station fifth. Otherwise use the default Zhuhai station, --station zhuhai.

Dates default to today. The CLI supports --today, --tomorrow, and --date YYYY-MM-DD within one week.

Output Guidance

When listing schedules, summarize the useful rows with code, line time, boarding time, arrival time, station, price, seats, directness, and status.

When generating a link, include the link in a plain copyable block. Mention that the link is an order-entry link, not a completed booking.

If qg link CODE says there is no cached list, run qg list ... --available again and use the new code. If a link is stale or fails in WeChat, re-run qg list and qg link to refresh priceMark.

For detailed command behavior and troubleshooting, read references/qg-cli.md.

Comments

Loading comments...