Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
老人自由行旅游出行管家
v1.0.0自由行旅游出行管家的统一入口,负责意图识别、路由分发和跨技能协调。当父母提到"行程查询"、"不舒服"、"迷路了"、"评价服务"、"看照片"等时使用。
⭐ 0· 49·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (elder travel concierge) aligns with the instructions: intent routing, emergency handling, itinerary queries, photo/video generation, health monitoring and fraud alerts. However the SKILL.md describes many integrations (flight/order APIs, Alicloud AI, WeChat/DingTalk sharing, wearable sync, voice cloning, automatic photo collection) while the skill declares no required env vars/credentials — a proportionality gap that should be explained (is the platform expected to supply credentials/tools?).
Instruction Scope
The runtime instructions direct the agent to handle highly sensitive data and actions: health records, GPS location, device_info, automatic collection of photos from multiple sources, calling emergency services (120), notifying children, and voice cloning/auto‑TTS. These are coherent with the stated emergency/assistance purpose, but the doc gives broad, automatic authority (e.g., '自动收集素材', '自动拨打 120', '语音克隆') without explicit consent/authorization, data flows, or fail‑safes. Additionally a prompt‑injection indicator (unicode control characters) was detected inside SKILL.md, which suggests the skill text itself may include hidden characters intended to influence model behavior.
Install Mechanism
This is an instruction‑only skill with no install spec and no code files — lowest installation risk. Nothing is written to disk by the bundle itself. That said, it depends on platform tools/APIs (referenced in tools/*.md) which are outside this package.
Credentials
The skill declares no required environment variables or primary credential, yet it documents many external APIs and integrations (internal Fliggy APIs, Alicloud AI, WeChat/DingTalk, map services, wearable sync, payment/refund flows, insurance, voice‑clone). In practice those integrations require credentials and scoped access. The absence of declared env vars/configs is a coherence issue and may hide implicit expectations about platform-provided credentials or overbroad access.
Persistence & Privilege
always:false and no install actions means it does not demand permanent, unconditional inclusion or system-level changes. It does describe storing context/session data and sharing across subskills — normal for an orchestrator — but there is no instruction to modify other skills or system-wide configs.
Scan Findings in Context
[unicode-control-chars] unexpected: The scanner found unicode control characters in SKILL.md. These are not expected for a normal documentation/instruction file and can be used to hide content or attempt prompt‑injection of downstream models. This increases risk and should be removed or explained.
What to consider before installing
Plain-language checklist before installing or enabling this skill:
1) Source & provenance: confirm who published this skill and obtain an authoritative contact; avoid installing skills from unknown/unverified authors.
2) Credentials & platform tools: ask the developer which credentials/APIs the skill needs and where they would be stored. The SKILL.md references many external services (order APIs, Alicloud AI, WeChat/DingTalk, map providers, wearable sync, voice clone). Those require explicit, least‑privilege credentials — do not provide unrelated secrets. If the platform supplies credentials automatically, ask for a list and scopes.
3) Data flows & consent: get a clear data‑flow diagram. The skill accesses/maintains health records, GPS, phone numbers, photos, and may auto‑share them with subskills, children, service providers, and third parties. Confirm where sensitive data (health, location, photos, voice clones) is stored, how long it is kept, who can access it, and how users (parents and children) give and revoke consent.
4) Emergency & automated actions: confirm exactly what triggers automatic calls (e.g., dialing 120) and whether there is an opt‑out or human verification step. For voice cloning and auto‑outbound calls, obtain explicit consent from parties whose voice/data is used.
5) Remove hidden chars / audit SKILL.md: request a clean, canonical copy of SKILL.md with hidden/control characters removed and ask for a short security review explaining why such characters were present.
6) Voice cloning & privacy: if the skill supports cloning a child's voice, require proof of consent, storage location of cloned models, and retention/ deletion policies.
7) Minimum privileges: insist on least‑privilege credentials and audit logs showing actions (calls placed, data shared). Make sure emergency and payment flows cannot exfiltrate credentials or perform high‑impact actions without explicit confirmation.
8) If you cannot obtain satisfactory answers about credentials, consent, and the unicode control characters, treat the skill as untrusted and do not install it. The functional design is coherent for an elder travel assistant, but the prompt‑injection indicator and the lack of declared credentials for many external integrations make this package risky until clarified.Like a lobster shell, security has layers — review code before you run it.
latestvk97e0a3zssba6kc51x0zxvtgah842ykn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.