ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Taxi

v1.0.0

Handle everything for ground transportation, from price comparison to booking, tracking, disputes, and expense management.

0· 608·0 current·0 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the content: all guidance and workflows relate to ride comparison, booking assistance, tracking, disputes, and expense logging. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
SKILL.md instructs the agent to read/write a ~/taxi/ folder (memory.md, trips.md, accounts.md, promos.md) and to drive browser interactions with ride-booking sites and public promo sources. That is coherent with the stated purpose, but it grants the skill authority to store and read local personal data (addresses, account emails, trip history). The instructions explicitly say not to store full payment details, which mitigates some risk, but the agent will still handle sensitive trip and account info if enabled.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes disk footprint and eliminates remote package/install risks.
Credentials
The skill declares no environment variables, no credentials, and no config paths beyond the user-local ~/taxi/ directory. The fields suggested to be stored (emails, phone, credits) are reasonable for its purpose but could be sensitive; the skill does not request broad or unrelated credentials.
Persistence & Privilege
Persistence is local to ~/taxi/ (user-owned directory). The skill is not always-enabled and does not request elevated or cross-skill privileges. Still, storing trip history and account notes on disk is persistent — users should be aware of privacy implications and filesystem permissions.
Assessment
This skill appears to do what it says: compare rides, help with bookings, track trips, and manage disputes. It asks for no external credentials or installs, but it does create and use files under ~/taxi/ that can contain personal data (saved addresses, emails, trip receipts, referral codes). Before enabling: (1) inspect ~/taxi/ contents and set strict file permissions (chmod 700 or equivalent); (2) avoid putting full payment credentials or unencrypted tokens in the memory files; (3) confirm you are comfortable with the agent performing browser interactions on ride websites; and (4) if you want stronger protection, keep sensitive account credentials out of the skill's local memory and handle final payment/verification steps yourself.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e4gcfqeq78t1gbps7y258rn81axxj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚕 Clawdis
OSLinux · macOS · Windows

Comments