ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tokyo Jp

v1.0.1

提供东京旅游景点、文化、美食、住宿、交通及购物娱乐等实用信息和旅行建议。

0· 68·1 current·1 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Metadata/description promises Tokyo travel guidance (景点、交通、住宿等), but SKILL.md contains instructions for producing a brand profile ('tokyo-jp 品牌档案') and lists items like 发展历程、产品/服务、竞争格局. These two goals differ materially; the required behavior does not align with the stated purpose.
Instruction Scope
SKILL.md is instruction-only and very constrained: it directs the agent to '查找 tokyo-jp' and '了解 tokyo-jp 的背景' and offers a template for a brand profile. The instructions do not request credentials, local files, or external endpoints beyond implied web lookups, so scope is limited — but it does not implement the travel-info functionality advertised.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes technical attack surface — nothing is downloaded or written to disk by the skill itself.
Credentials
The skill declares no required environment variables, credentials, or config paths. There is no disproportionate credential request.
Persistence & Privilege
always:false and default invocation settings. The skill does not request elevated persistence or system-wide configuration changes.
What to consider before installing
This skill is low technical risk (no installs, no credentials), but it appears mislabeled: the description promises Tokyo travel info while the runtime instructions are a generic brand-profile template for 'tokyo-jp'. Before installing or enabling, consider: 1) Is the source trusted? (source is unknown) 2) Do you need a travel-information skill or a brand-profile tool? If you expected travel guidance, this skill likely won't deliver that. 3) Ask the publisher for clarification or prefer a skill from a verified source. Because it requests no secrets and does not install code, the security risk is low, but user expectations and functionality are inconsistent — treat as suspicious and verify before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk970e1az69bhj320px9fykpqt584xqcb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments