Skillv1.0.3

ClawScan security

哈啰顺风车出行技能 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 9, 2026, 11:48 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared behavior (calling HelloBike MCP APIs to search, price, and place hitch rides) is coherent, but there are inconsistencies and privacy/secret-handling risks (notably guidance that could encourage pasting your API key into chat and unclear guidance around configuration and scheduled autonomous tasks).
Guidance: This skill appears to do what it says (use HelloBike APIs to search, price and place hitch rides), but exercise caution before installing: - Do not paste or speak your API key into a chat. The README example that says “我的 API Key 是 xxxxxx” is risky: conversation history and logs can expose secrets. Prefer configuring the MCP with openclaw mcp set or editing ~/.openclaw/openclaw.json as the SKILL.md shows. - Verify the API endpoint and platform: confirm hellohitchapi.hellobike.com and the HelloBike AI Open Platform are legitimate and that the API Key you get is scoped appropriately. - Understand autonomous behavior: the skill schedules delayed/cron tasks (5-minute status checks, optional scheduled bookings). If you enable autonomous invocation or scheduling, the agent can place or query orders without a fresh explicit confirmation unless the skill’s flow requires it. Only allow this if you accept that autonomous bookings and cancellations may be triggered. - Protect PII: the skill will handle precise locations and driver contact info returned by the API. Check your log/retention policies and who has access to the agent's conversation history. - Source validation: the package has no homepage and an unknown publisher — if possible, request the publisher’s repo or official documentation to verify authenticity, or obtain the official HelloBike MCP integration docs and compare them to the skill’s references/api.md. If you still want to proceed: set the MCP config via the CLI or config file (not via chat), use an API key with least privilege, monitor the first runs closely, and revoke the key if anything unexpected happens.

Review Dimensions

Purpose & Capability: noteName/description match the instructions: the skill documents exactly the HelloBike hitch operations (search, estimate, create/cancel order, invite drivers, generate app/wechat links). No unrelated services or credentials are requested. However the skill is published with unknown source/homepage, which reduces provenance confidence.
Instruction Scope: concernSKILL.md stays within the ride-booking domain (calls maps_textsearch and many hitch_* APIs). But README and SKILL.md give mixed guidance for configuration: the preferred secure method is to set MCP via openclaw mcp set or editing ~/.openclaw/openclaw.json, yet README also shows an example '在 Agent 对话中说: 我的 API Key 是 xxxxxx' — instructing users to speak/paste their API key into the chat. That would expose secrets to conversation logs and is inconsistent with the CLI/config approach. The skill also instructs creating delayed/cron tasks for autonomous re-checks and automated future booking—these allow autonomous actions and should be considered when enabling the skill.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written by an installer. The runtime instructions ask the operator to configure MCP via CLI or edit openclaw.json, which is normal for a connector. No external downloads or package installs are required by the skill itself.
Credentials: concernThe skill does not declare required environment variables in metadata, but it clearly requires an API Key for the HelloBike MCP (provided via the OpenClaw MCP config). That is proportionate to the stated purpose. The concern is procedural: README encourages providing the API Key in natural-language chat, which is unnecessary and risky. Also the skill will handle PII (locations, driver phone/names) returned by the API — users should be aware this data flows through agent logs and stored conversation context.
Persistence & Privilege: notealways is false (good). The skill documents creating scheduled/cron tasks and a mandatory 5-minute status check after order creation; these imply the agent will schedule future autonomous actions. Autonomous invocation is platform-default, but users should understand the implications of scheduled autonomous tasks (they will cause the agent to call the MCP APIs without repeat user confirmation in some flows).