ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

voyager-travel-agent

v1.0.9

Alipay+ Voyager Travel Agent. Provides comprehensive travel solutions including flight search, hotel recommendations, and multi-day itinerary planning. Use w...

25· 179·0 current·0 all-time
byzhulei@voyageragent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description align with included scripts and reference docs: flight and hotel searches are performed by the provided search-flights.sh and search-hotels.sh that call Alipay+ Voyager APIs. No unrelated services or credentials are requested.
!
Instruction Scope
SKILL.md requires invoking the included scripts and explicitly mandates that all results come from those tools. The scripts perform network calls to external Alipay endpoints and will transmit user query data (dates, cities, subQuery). The SKILL.md does not declare or warn about these remote calls or privacy implications.
Install Mechanism
There is no install spec (instruction-only), which is lower risk, but the included shell scripts assume the presence of curl and jq (and a bash shell). The skill's metadata did not declare these required binaries, so execution may fail or behave unexpectedly if dependencies are missing.
Credentials
No environment variables or credentials are requested, which is proportionate. However, the SKILL.md claims 'no API key for trial usage' while scripts POST user-supplied data to Alipay endpoints — this may expose user queries to an external service without explicit consent or authentication details documented.
Persistence & Privilege
The skill is not always-enabled, does not request persistent system changes, and does not modify other skills or system-wide config.
What to consider before installing
This skill will run the included shell scripts which POST user-supplied query data (cities, dates, natural-language subQuery) to Alipay+ Voyager endpoints (https://ivguserprod.alipay.com/...). Before installing, consider: 1) privacy — queries (possibly containing personal/travel plans) are sent to an external domain; confirm you are comfortable with that and check any applicable privacy policy; 2) dependencies — the scripts assume curl, jq, and bash are available but the skill metadata does not declare them; ensure your environment has them or the tools will fail; 3) API key/auth — the SKILL.md claims trial use without keys but the endpoints may require authentication in some environments; test with non-sensitive data first; 4) inspect and/or sandbox execution — review the scripts and, if possible, run them in a restricted environment or with network monitoring to see what is sent; and 5) if you need stronger guarantees about data handling, request clarification from the skill author or avoid using the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97733r890hp9qhk0jnze03r3n84b855

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments