Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
weekend-escape
v1.0.0周末逃跑计划,为都市人提供周五晚出发、周日晚返回的短途旅行方案。当用户说"周末去哪玩""想逃离城市""推荐个短途旅行"或需要周末放松方案时使用此 skill。
⭐ 1· 51·0 current·0 all-time
by厉云涵@yunhanli7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (weekend travel recommendations) matches the instructions (recommend destinations, build 48-hour plans, query transport/hotels/POI). However, the SKILL.md explicitly uses a 'flyai' CLI (flyai search-flight / search-hotel / search-poi). The registry metadata lists no required binaries, env vars, or install steps. That mismatch — an undeclared external tool the instructions rely on — is disproportionate/unexplained and should be justified.
Instruction Scope
Instructions are narrowly scoped to travel planning and specify concrete commands to query flights, hotels, and POIs using the flyai CLI. They do not request unrelated files or credentials. However, they instruct the agent to contact/search via an external tool (flyai) and to include '预订链接' and images; SKILL.md does not say where flyai comes from or what network endpoints it will call, leaving open what remote services will receive user query data.
Install Mechanism
There is no install spec (instruction-only), which normally lowers risk. But because SKILL.md requires 'flyai' to perform searches, the absence of a declared install or required binary is concerning: either the environment must already have flyai (not guaranteed) or the agent may attempt to obtain/execute it by other means. The missing provenance for the external tool is the main install-related risk.
Credentials
The skill does not request environment variables, credentials, or config paths. All declared requirements are absent, which is consistent with the idea of an instruction-only skill — except for the undeclared flyai dependency noted above. No secrets are requested in the current manifest.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation settings. It does not request persistent system-level changes in the manifest or SKILL.md. No indicators that it will modify other skills or system-wide configs.
What to consider before installing
This skill appears to genuinely implement weekend travel planning, but the SKILL.md depends on a 'flyai' CLI tool (flyai search-flight / search-hotel / search-poi) while the registry metadata declares no required binaries or install steps. Before installing or enabling this skill you should:
- Ask the skill author (or vendor) to clarify what 'flyai' is, where it comes from, and provide a canonical install/source (GitHub release, official package, or package manager). Do not trust an undocumented or private binary source.
- Request an updated manifest that declares required binaries and a safe install mechanism (or remove the flyai dependency and call only well-known APIs).
- Confirm what network endpoints flyai contacts and whether any user data (current location, travel dates, personal identifiers) are transmitted to third parties; get a privacy/dataflow statement.
- If you cannot verify flyai's provenance, treat the skill as untrusted: run it in an isolated environment or refuse to install.
- Consider testing the skill in a constrained environment and verifying its outputs do not leak sensitive info (e.g., your saved credentials or local files).
If the author updates the manifest to explicitly declare 'flyai' as a required and trusted dependency (with install/source), the inconsistency would likely be resolved and this would lean toward benign. Currently the undeclared external-tool dependency is the main unresolved concern.Like a lobster shell, security has layers — review code before you run it.
latestvk978bjwvmr81j3r54zqxd4kshh841jdw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.