ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Travel Guide Test

v1.0.0

Plan trips end-to-end and turn them into polished static travel-guide webpages deployed to Cloudflare Pages. Use when a user wants help deciding where to go,...

0· 8·0 current·0 all-time
by@cianweeresinghe-sudo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description are travel-focused and the SKILL.md provides detailed, appropriate planning and publishing guidance. However, the description promises 'deploy to Cloudflare Pages' while the skill declares no required credentials, binaries, or install steps — deployment normally requires either a Cloudflare API token or a CLI (e.g., wrangler) or manual steps. The absence of any declared deployment credentials, binaries, or config requirements is a potential mismatch.
!
Instruction Scope
The instructions ask the agent to gather personal and group details (ages, mobility constraints, etc.) which is reasonable for planning, but they also say the skill 'may create' and 'reuse' durable traveller profiles. The SKILL.md does not specify where or how profiles are stored or protected (no config paths, storage backend, or deployment artifacts are declared). If the runtime expects persistent storage or will transmit profiles to external services for publishing, that should be explicit. The guidance to 'deploy to Cloudflare Pages' expands scope to cloud deployment without explaining the authentication or endpoint handling.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. That minimizes on-disk risk and there are no downloads or package installs declared.
!
Credentials
No environment variables, credentials, or config paths are declared even though the SKILL.md mentions publishing live sites on Cloudflare Pages and reusing profiles across sessions. Publishing to Cloudflare normally requires a Cloudflare API token (or OAuth flow) and/or a CLI tool. Asking for user data (ages, travel constraints) is justified for planning, but the skill does not justify or declare any mechanism for storing or protecting that data.
Persistence & Privilege
The skill is not marked always:true and has no installs, so it doesn't request elevated platform privileges. However, the SKILL.md's encouragement to 'store durable travel-planning preferences' implies persistence; the skill doesn't declare where this persistence occurs or whether it will modify agent configuration or external services. That ambiguity is a risk factor to clarify before use.
Scan Findings in Context
[no_regex_findings] expected: The static regex-based scanner found nothing to analyze because this is an instruction-only skill with no code files. That absence is expected but does not imply the skill is safe—runtime instructions (e.g., asking for credentials or storing profiles) are the main surface.
What to consider before installing
This skill is primarily a detailed travel-planning guide, but it also says it will publish sites to Cloudflare Pages and may store reusable traveller profiles — the SKILL.md does not explain how deployment or storage are handled. Before installing or using it: 1) Ask the author how Cloudflare Pages deployment is performed (will it prompt you to paste an API token, use a URL you must visit, or use a CLI?), and require that any automated deployment ask explicitly and not accept permanent credentials silently. 2) Clarify where traveller profiles are stored, who can access them, and whether they are encrypted or persisted outside your agent session. 3) Avoid providing highly sensitive personal data (full IDs, passport numbers, payment data). 4) If you plan to use the Cloudflare deployment feature, prefer giving a scoped, short-lived API token with only Pages permissions or perform the publish step manually. 5) If the author cannot explain deployment/storage mechanics, treat the deployment/storage features as untrusted and use the skill only for planning text (not live publishing or long-term profile storage).

Like a lobster shell, security has layers — review code before you run it.

latestvk975e5w1rct6dp22e337szm1ch84cy9j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments