ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Travel CN

v1.0.0

旅行信息查询 - 去哪儿/携程/飞猪数据查询(Expedia 中国版)

1· 1.3k·16 current·18 all-time
byGuohongbin@guohongbin-git
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (travel lookups for Chinese platforms) match the SKILL.md content: it shows how to call Ctrip/qunar/12306, use py12306, and run Selenium scraping. However, the SKILL.md references partner APIs that require credentials/partner access (e.g., ctrip API) but the skill declares no required environment variables or credentials. Also the quick scripts (./scripts/*.sh) are referenced but not included in the package, which is an internal inconsistency.
!
Instruction Scope
The runtime instructions tell an agent to install Python packages (selenium, py12306), run Selenium to scrape websites, and curl partner APIs. These actions are within travel-skill scope but expand risk: scraping can trigger IP blocks or violate TOS, py12306 and some APIs likely require login credentials or cookies, and the SKILL.md directs running local scripts that are not provided. The instructions are concrete (not wildly open-ended) but they ask the operator to perform network scraping and installs without guidance on credential handling or safety.
Install Mechanism
There is no install spec and no code files that execute automatically; this is an instruction-only skill. That minimizes the risk of hidden executable installs. The only installation guidance is in prose (pip install), which runs only if a user follows it.
!
Credentials
The skill declares no required env vars or primary credential, yet the documentation references partner APIs and services that typically require API keys, partner credentials, or account logins (Ctrip, 12306, etc.). That mismatch means the skill does not declare how credentials should be provided, stored, or protected. Requiring unspecified credentials is a proportionality and transparency issue.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. Autonomous invocation is allowed by platform default but the skill does not ask for permanent presence or system config changes.
What to consider before installing
This is an instruction-only travel lookup skill that shows how to call partner APIs and how to scrape sites. Before installing or using it: (1) note that the SKILL.md refers to APIs (Ctrip) and services (12306) that usually require API keys or logins, but the skill doesn't declare or handle credentials — do not paste credentials into an untrusted skill. (2) The examples call for pip installing packages (selenium, py12306) and running a browser driver — review and vet any packages before installing. (3) The quick scripts referenced (./scripts/*.sh) are not included; don't execute unknown local scripts if you find them later. (4) Web scraping can violate site terms and may expose your IP/account; prefer official partner APIs and explicit credential handling. If you plan to use this, ask the author for: the missing scripts, explicit instructions on how to supply credentials safely (and what env vars to set), and assurances about legal/ToS compliance for scraping.

Like a lobster shell, security has layers — review code before you run it.

latestvk9705a0kenwn7zb4s0ypy4r7sn81e2dp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✈️ Clawdis

Comments