Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Book Hotels with Hot Spring Baths — Onsen Pools, Private Hot Spring Rooms, Ryokan Stays
v3.2.0Find and book hotels with hot spring baths — onsen pools, private hot spring rooms, ryokan stays, thermal spa resorts. Also supports: flight booking, hotel r...
⭐ 0· 36·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (finding and booking onsen hotels) matches the CLI commands it instructs (flyai search-hotel / search-poi). However, it depends entirely on an external CLI (@fly-ai/flyai-cli) that is not bundled, has no registry homepage provided, and the skill does not declare how the CLI will authenticate to the claimed provider (Fliggy). Requiring a third-party CLI is reasonable for live booking, but the lack of declared credential requirements or vendor/source information is a notable gap.
Instruction Scope
SKILL.md instructs the agent to install and run an external CLI, run many flyai commands, and persist a run log file (.flyai-execution-log.json) if filesystem writes are available. The runbook stores user queries and command output in the log. Instructions also force strict runtime behavior (never answer from training data, always include booking links). The filesystem logging of raw user_query and CLI results can expose user data on disk; the skill’s instructions give the agent authority to install and execute external code and to write persistent logs without describing retention or access controls.
Install Mechanism
There is no install spec in the registry; instead SKILL.md mandates running npm i -g @fly-ai/flyai-cli at runtime if the CLI is missing. Installing an arbitrary global npm package at runtime is moderate-to-high risk: it pulls remote code that will run on the host, may require elevated privileges, and the package source/maintainer is not validated in the skill files (no homepage, no source). This is an instruction-only skill that nevertheless causes the agent to perform a network install, increasing attack surface.
Credentials
The skill declares no required environment variables or credentials, yet it expects to perform bookings 'powered by Fliggy'. It does not explain where credentials come from (CLI interactive login, local config, or implicit tokens). The runbook also logs user_query and CLI commands/results locally, which is a form of data persistence/exposure not reflected in the declared requirements. The absence of declared auth requirements combined with necessary remote API access is a proportionality and transparency concern.
Persistence & Privilege
The skill will persist an execution log to .flyai-execution-log.json if filesystem writes are available, storing user_query and CLI results. While the skill is not marked always:true, it still requests persistent local logging and can install and run external code. Persistent logs of user inputs and commands increase privacy risk and the blast radius of any compromised CLI.
What to consider before installing
This skill relies entirely on installing and running a third‑party npm CLI (@fly-ai/flyai-cli) at runtime and may write persistent logs of your queries to disk. Before installing or enabling it: 1) Verify the npm package and its publisher (inspect the package on npmjs.org or its repository) and confirm it’s the official Fliggy/authorized client; 2) Ask the skill author for a homepage, source repo, and details on where booking credentials are stored and how authentication is handled; 3) If you must test it, run the CLI installation in a sandboxed environment or VM and inspect what files/configs it creates; 4) Ensure you are comfortable with the skill writing .flyai-execution-log.json containing your queries and results or ask for an option to disable local logging. If you cannot verify the CLI publisher or don't want a runtime global npm install and persistent logs, do not enable the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk976dx48kzmygcz11513k8tp9x84sdp8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.