ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Golf Tee Times

v1.0.0

Search for golf tee times and deals near any location. Find cheapest rounds, compare prices across platforms, and get discount tips. Use when asked about gol...

0· 595·0 current·0 all-time
byTag@tag-assistant
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included script and runtime instructions. The skill only needs curl/python3 and queries GolfNow's tee-time API (reverse-engineered) — this is proportional to a tee-time search tool.
Instruction Scope
SKILL.md instructs using the included Python script and the GolfNow POST API. It also suggests methods to discover FacilityId (site search or browser request interception). These instructions stay within the advertised scope, but the guidance to intercept browser requests is an operational detail users should be aware of (it requires manual network inspection).
Install Mechanism
No install spec; this is instruction-only plus an included Python script. No external downloads, package installs, or archive extraction are present — lowest install risk.
Credentials
The skill declares no required environment variables or credentials and the code does not attempt to read secrets or config paths. Network access to golfnow.com is the only external interaction and is consistent with purpose.
Persistence & Privilege
always:false and no special privileges. The skill does not modify other skills or system configs. It runs curl via subprocess when invoked, which is normal for this type of tooling.
Assessment
This skill appears coherent and implements exactly what it claims: a GolfNow tee-time search tool using curl/python and a reverse‑engineered POST API. Before installing, consider: (1) it relies on a private/reverse-engineered API — GolfNow may change the API or object to block automated access, and use may violate their terms of service; (2) the script spawns curl (subprocess) to make network requests — ensure curl is trusted on your system; (3) the SKILL.md suggests finding FacilityIds via browser request interception (manual network inspection) — that is operationally intrusive but not inherently malicious; (4) no credentials are requested, so you should not supply any secret keys. If you need higher assurance, review the script locally and confirm you are comfortable with automated POST requests to golfnow.com and the FacilityId discovery methods described.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ymg72xpmdpvea3wzcw21m181be5k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binscurl, python3

Comments