ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

garden-parks

vv3.2.2

Explore classical Chinese gardens, city parks, botanical gardens, and royal gardens — perfect for relaxing walks and cultural appreciation. Also supports: fl...

0· 45·0 current·0 all-time
by@xiejinsong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description claim travel/park discovery and booking; SKILL.md consistently requires the flyai CLI and only runs flyai search-poi / keyword-search commands. Requiring the flyai CLI is proportionate to the stated functionality.
Instruction Scope
Instructions are narrowly scoped to running flyai CLI commands, collecting parameters, formatting results, and enforcing that outputs include [Book]({detailUrl}) links. A notable artifact in the references (runbook.md) suggests appending an execution log to .flyai-execution-log.json if filesystem writes are available — this is not necessary to fulfill queries but is present in the skill docs and can cause local writes.
Install Mechanism
The skill is instruction-only (no install spec). It instructs the agent/user to run npm i -g @fly-ai/flyai-cli if flyai is missing. Using a published npm package is normal for this purpose, but the skill does not include a declared homepage/source in metadata; users should verify the @fly-ai package provenance before installing globally.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The runtime instructions do not request secrets or unrelated credentials.
Persistence & Privilege
The skill is not always-included and does not request elevated privileges. The only persistence-related behavior is an optional runbook suggestion to append an execution log file (.flyai-execution-log.json) to the working directory; this is local and limited but should be considered by users who want no logs written.
Assessment
This skill appears coherent for discovering gardens and parks via the flyai CLI. Before installing or allowing it to run, consider: 1) Verify the @fly-ai/flyai-cli npm package source and reputation (global npm installs run code on your machine). 2) The skill will try to run npm i -g @fly-ai/flyai-cli if the CLI is absent — be sure you want that action. 3) The references include an optional local execution log (.flyai-execution-log.json) which could store user queries/results; if you don't want local logs, block or inspect that behavior. 4) No credentials are requested by the skill, and it requires network access to contact flyai; if you trust the flyai service and the npm package, the skill is consistent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

bookingvk970sckncwjycjaqwyd34hcpy584gh2yflyaivk970sckncwjycjaqwyd34hcpy584gh2ylatestvk970sckncwjycjaqwyd34hcpy584gh2ytravelvk970sckncwjycjaqwyd34hcpy584gh2y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments