Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
group-tour
vv3.2.3Find organized group tours and travel packages with professional guides, planned itineraries, meals included, and hassle-free travel for those who prefer str...
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the runtime instructions: the skill wraps the @fly-ai/flyai-cli to fetch real-time group tour, flight, hotel and POI data. Asking to use a CLI and the parameters listed is coherent with the stated purpose.
Instruction Scope
SKILL.md restricts all answers to flyai CLI output and enforces specific command usage and output formatting (including mandatory booking links). That's consistent with the purpose, but the instructions also require writing an execution log (see runbook) and explicitly tell the agent to install a global npm package if missing — both expand the agent's scope beyond read-only query execution.
Install Mechanism
There is no formal install spec in the skill bundle; instead SKILL.md instructs the agent/user to run `npm i -g @fly-ai/flyai-cli`. Installing a global npm package is a moderate-risk action (third-party code execution and system modification) and the package origin/trustworthiness is not documented in the skill metadata.
Credentials
The skill declares no environment variables or credentials, which is appropriate. However, the runbook suggests persisting per-request logs to a local file (`.flyai-execution-log.json`) containing user_query and other details — this may store PII or sensitive travel info without being declared in requirements.
Persistence & Privilege
The skill does not request 'always' privilege, but it instructs installing a global CLI and may write persistent logs to disk. These side effects are not expressed in the skill metadata (no required config paths), so the skill can alter the environment and leave persistent artifacts without explicit declaration.
What to consider before installing
This skill appears to be a thin wrapper around the third-party @fly-ai/flyai-cli and is coherent with its description, but proceed cautiously. Before installing or running: (1) verify the npm package (@fly-ai/flyai-cli) is from a trusted source (check its npm page, maintainer, and GitHub repo); (2) be prepared that the skill may prompt to install a global npm package (which modifies your system), and avoid doing so on sensitive or production machines; (3) note the runbook instructs writing an execution log (.flyai-execution-log.json) that can contain user queries and other details — run in a sandbox if you do not want persistent logs containing PII; (4) because the skill makes live network calls via the CLI, expect outbound network traffic to the service used by the CLI; (5) if you need higher assurance, ask the skill author for an explicit install spec, the flyai-cli repository URL, and confirmation of what the CLI logs. If you are uncomfortable with a global npm install or automatic file writes, do not install/run this skill or run it only in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
bookingvk97ccx8my6a99g3sgrtvyrh5j184hcpjflyaivk97ccx8my6a99g3sgrtvyrh5j184hcpjlatestvk97ccx8my6a99g3sgrtvyrh5j184hcpjtravelvk97ccx8my6a99g3sgrtvyrh5j184hcpj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.