Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description promise ride-planning, cost estimates, enterprise car management, and Open Platform API guidance; the SKILL.md contains product comparisons, cost-estimation code, high‑level strategies, and example enterprise-API client code — all consistent with that purpose.
Instruction Scope
Runtime instructions are prose and example code for cost estimates and API usage. They reference the Didi enterprise API endpoint (api.es.xiaojukeji.com) which is appropriate for an API-integration guide. The instructions do not direct the agent to read unrelated system files, environment variables, or exfiltrate data.
Install Mechanism
No install spec and no code files — this is instruction-only, so nothing will be written to disk or downloaded by the skill itself.
Credentials
The skill declares no required env vars or credentials. Example code shows use of client_id/client_secret and access tokens (expected for API integration). Because the skill doesn't request secrets automatically, there is no disproportionate credential access, but users should avoid pasting production credentials into chat.
Persistence & Privilege
always is false and the skill does not request persistent agent-level privileges or change other skills' configs. disable-model-invocation is default false (normal) and acceptable given no other red flags.
Assessment
This skill is instruction-only and appears coherent with its stated purpose. It provides code samples that, if you run them, will call Didi enterprise APIs and require client_id/client_secret values — the skill itself does not ask for or store credentials. Before using: (1) do not paste production client_id/client_secret or other secrets into the chat; use test or least-privilege credentials when experimenting; (2) verify the API endpoints and company policy if integrating enterprise accounts; (3) if you plan to run the sample code, run it in a controlled/dev environment and inspect requests/responses; (4) prefer creating scoped/test API keys and rotate them after use. If you want, I can scan the rest of the truncated SKILL.md (or search for any hidden instructions) to raise confidence further.Like a lobster shell, security has layers — review code before you run it.
latestvk97dpghnacjed82v8etn9qcn9d8306rb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.