ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Air Route Calculator - Projected Flight Maps

v1.3.22

Use when the user wants aviation route maps, ETOPS-aware route analysis, projection comparisons, airport lookup, or SVG map rendering through a local Circulu...

0· 73·0 current·0 all-time
byGerald He@skylinehk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the asset contents and instructions. All declared behavior (route solving, ETOPS, projection, SVG rendering) is supported by the provided docs and example payloads. No requested env vars, binaries, or unrelated capabilities are present.
Instruction Scope
SKILL.md instructs the agent to talk to a local MCP endpoint, use specific MCP tool calls (map.solve_query, map.solve_spec, etc.), and avoid proxying arbitrary URLs. It references local paths and startup commands only; it does not instruct reading unrelated files or exfiltrating data.
Install Mechanism
No install spec or remote downloads are present — this is an instruction-only skill with documentation on running the local app (npm run dev / npm run mcp:dev). No archives or external URLs are used for installs.
Credentials
No required env vars, credentials, or config paths are declared. references/local-setup.md suggests local env vars for convenience, but these are optional and local-only; nothing requests secrets or unrelated service credentials.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. The included agents/openai.yaml sets allow_implicit_invocation: false for that agent, while platform flags show the normal default (disable-model-invocation: false); there is no evidence the skill modifies other skills or system-wide settings.
Assessment
This package appears to be a local/offline-only Circulus MCP client and is coherent with its description. Before using it: (1) verify you run the MCP worker locally at http://127.0.0.1:8788/mcp (the skill expects that endpoint); (2) you'll need to run the project locally (npm run dev / npm run mcp:dev) — the skill does not auto-install anything; (3) confirm the MCP URL is localhost and not repointed to an external host (if someone changes the MCP endpoint to a remote server, the agent could send local queries off-host); and (4) note the skill requests no credentials and is suitable for air-gapped or privacy-sensitive workflows. If you need higher assurance, inspect the actual running MCP worker code (not included here) before sending sensitive data through it.
!
agents/openai.yaml:14
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

aviationvk977c5e7kqksc1c5y51vzb5h1x83bgmplatestvk97a90n8p5m05vg1v2wbx2da2h83bpqtmapsvk977c5e7kqksc1c5y51vzb5h1x83bgmpmcpvk977c5e7kqksc1c5y51vzb5h1x83bgmpofflinevk977c5e7kqksc1c5y51vzb5h1x83bgmptravelvk977c5e7kqksc1c5y51vzb5h1x83bgmp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments