ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Travel Swarm

v1.0.0

Integrated travel planner combining FlyAI ticket prices, Gaode and Tencent map POI, Meituan food recommendations, and fallback McDonald's options.

0· 64·1 current·1 all-time
by@timo2026

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for timo2026/travel-swarm.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Travel Swarm" (timo2026/travel-swarm) from ClawHub.
Skill page: https://clawhub.ai/timo2026/travel-swarm
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install travel-swarm

ClawHub CLI

Package manager switcher

npx clawhub@latest install travel-swarm
Security Scan
Capability signals
CryptoRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code files (flyai_client, amap/meituan/tencent clients, multi_mcp, report generator) align with the stated travel-planner purpose. However, there are surprising artifacts: several socratic/engine components include CNC/industrial keyword handling (unrelated to travel) and the README/SKILL.md names of map API env vars (GAODE_API_KEY) do not match code usage (AMAP_API_KEY). These suggest code reuse or sloppy packaging rather than pure intent mismatch, but they are unexplained.
!
Instruction Scope
SKILL.md runtime instructions are limited (install via clawhub, set API keys), but the repo/docs contain operational instructions to run a long‑running web service on port 7860, watchdog/resurrection scripts, and a hardcoded external IP (http://47.253.101.130:7860/) in deployment docs. The code invokes external MCP endpoints and model clients (minimax), and some modules will read environment variables beyond those declared in the SKILL.md. This broad operational scope (service hosting + watchdog) is not fully reflected in the top-level skill metadata.
Install Mechanism
There is no install spec that downloads arbitrary payloads (lowest-risk install type). The bundle includes many source files and helper scripts, so installation will place code on disk and likely run a web service if followed. No external archive/URL-based install was detected, which reduces immediate supply-chain risk, but the included startup/watchdog scripts increase operational persistence once installed.
!
Credentials
SKILL.md lists required API keys (FLYAI_API_KEY, GAODE_API_KEY, optional TENCENT_MAP_KEY and MEITUAN_API_KEY) but the registry metadata claims 'none' for required env vars — a direct mismatch. The code expects AMAP_API_KEY in places (os.getenv('AMAP_API_KEY', '')) rather than GAODE_API_KEY, and other components (minimax_client, FlyAIClient) imply additional credentials (MINIMAX_API_KEY, etc.) not declared in SKILL.md. Asking for multiple external service keys is reasonable for this feature set, but the inconsistent naming and undocumented credential needs are a red flag: misconfiguration could leak or misroute secrets.
Persistence & Privilege
The skill does not set always:true and is user-invocable only (normal). However, the repository includes watchdog/resurrection scripts and service startup guidance to run a persistent web UI on port 7860. If a user follows those docs, the skill will become a persistent networked service. This is not inherently malicious but raises the operational blast radius in combination with networked API clients and model calls.
What to consider before installing
This package appears to be a real multi-MCP travel planner, but there are multiple inconsistencies and operational risks you should check before installing: - Verify which environment variables the code actually reads. SKILL.md lists GAODE_API_KEY but code uses AMAP_API_KEY; ensure you map your keys correctly and avoid pasting unrelated secrets. Search the code for os.getenv(...) to find all expected names (e.g., AMAP_API_KEY, MINIMAX_API_KEY, FLYAI keys). - Expect the skill to make outbound network calls to FlyAI, Amap/Gaode, Tencent, Meituan and to model endpoints (minimax). Only supply API keys you trust and run the skill in an isolated environment if possible. - The repo includes scripts and docs to run a web service on port 7860 and watchdog/resurrection scripts and even a hardcoded external IP in docs. Do not blindly run startup/watchdog scripts as root; review them first and consider running under a container or sandbox. - The codebase contains unrelated-looking CNC/industrial logic and many test/dev files — this suggests code reuse. Review the code paths that handle user input and external calls (flyai_client, multi_mcp_client, minimax_client) for any unexpected data exfiltration or unknown endpoints. - If you are not comfortable auditing the code, run it in an isolated VM/container with no sensitive credentials mounted. Prefer providing per-service API keys with limited privileges and rotate them after testing. If you want, I can list the exact files that read environment variables and the exact env-var names the code expects, or scan the codebase for hardcoded external hosts and URLs to help you decide.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cs768k6qmngbhfh5yg6mw1h84qt6y
64downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@timo2026
latest
Download

openclaw-travel-swarm-v8

多MCP集成智能旅行规划系统 - FlyAI+高德+腾讯+美团+麦当劳

功能

  • FlyAI真实票价查询(飞猪实时数据)
  • 高德vs腾讯POI验证
  • 美团美食推荐
  • 麦当劳兜底方案
  • 地图截图生成

使用

触发口令:

  • 旅行规划
  • 旅游攻略
  • 订票
  • 美食推荐

安装

clawhub install openclaw-travel-swarm-v8

配置

需要配置以下API密钥:

  • FLYAI_API_KEY
  • GAODE_API_KEY
  • TENCENT_MAP_KEY(可选)
  • MEITUAN_API_KEY(可选)

作者

海狸 🦫

许可证

MIT

Comments

Loading comments...