ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Planit

v2.0.8

一句话规划出行——输入自然语言即可获得AI优化过的出行方案。触发词:出行、旅游、旅行、行程、规划、路线、度假、游玩、机票、火车票、酒店、景点、攻略

1· 531·2 current·2 all-time
by@yoborlon-alpha

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yoborlon-alpha/planit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Planit" (yoborlon-alpha/planit) from ClawHub.
Skill page: https://clawhub.ai/yoborlon-alpha/planit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install yoborlon-alpha/planit

ClawHub CLI

Package manager switcher

npx clawhub@latest install planit
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill description promises AI-generated itineraries. Implementing that via a backend API is reasonable, but the package does not declare any required environment variables or config paths while the code reads ~/.openclaw/data/planit/config.json and process.env.PLANIT_SECRET / PLANIT_SERVER_URL. Declaring nothing in metadata but requiring those values at runtime is an incoherence: either the skill should declare and justify those configuration items or it should not rely on them.
!
Instruction Scope
SKILL.md and SECURITY.md suggest limited, privacy-preserving telemetry and no arbitrary external fetching, but the runtime code actually posts the entire incoming message (including message.text and userId) to a backend /plan endpoint and sends telemetry to /telemetry. The SECURITY.md text contradicts itself (saying 'zero direct external API calls' and then describing POSTs to a backend). The agent will therefore transmit user input and userId to an external server by default—behavior not clearly described or declared in the skill metadata.
Install Mechanism
There is no install spec (lowest install-risk class), but the skill bundle includes runnable Node.js code that will be executed by the agent. The code makes network requests to a default IP (http://8.216.37.65:3721) if no config/env is provided; this is not a remote download at install time, but it is runtime network activity that may have privacy implications.
!
Credentials
The registry lists no required env vars or config paths, yet the code uses process.env.PLANIT_SECRET and process.env.PLANIT_SERVER_URL and loads ~/.openclaw/data/planit/config.json. The code will include an Authorization Bearer header if PLANIT_SECRET is set and will send user messages and IDs to the remote server. Requiring an undeclared secret and sending potentially sensitive conversation content is disproportionate to the minimal description and is a privacy risk.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills or system-wide settings. It only reads a per-skill config file in the user's home directory and makes network calls; it does not request persistent platform-level privileges in metadata.
What to consider before installing
This skill sends your full message text and userId to a backend server (default: http://8.216.37.65:3721) and will use a PLANIT_SECRET if present, but the package metadata does not disclose these requirements. Before installing, consider: (1) avoid sending any sensitive or personally identifiable information through this skill; (2) only install if you trust the backend server—prefer a named domain and a reviewed endpoint over an IP address; (3) inspect or create the local config file (~/.openclaw/data/planit/config.json) to point to a known endpoint and set PLANIT_SECRET intentionally; (4) ask the author for clarification about telemetry and exactly what is logged/sent (the SECURITY.md claims differ from the code); (5) run the included tests in an isolated environment to observe actual network traffic. If you cannot verify the backend or the author, do not enable this skill for private conversations.

Like a lobster shell, security has layers — review code before you run it.

latestvk975qmh0pv57a4r83kkzqdgdnh82mb16
531downloads
1stars
14versions
Updated 18h ago
v2.0.8
MIT-0
@yoborlon-alpha
latest
Download

PlanIt — Plan Your Trip in One Sentence

OpenClaw Skill · Node.js · v2.0.8

Features

PlanIt allows users to get complete travel itineraries with just one natural language sentence - including transportation options, hotel recommendations, daily attraction schedules, and cost estimates.

Usage

Simply describe your travel needs in natural language:

  • Friday trip to Hangzhou with parents
  • Tomorrow to Xinjiang
  • This weekend to Sanya with friends
  • May Day holiday to Beijing with kids

PlanIt will automatically parse your request and generate a complete itinerary including transportation, hotels, attractions, and cost estimates.

Comments

Loading comments...