📦 overseas-business-trip-suite — 实用工具
v1.0.0overseas-business-trip-suite是一款实用的工具技能,能够帮助用户完成相关任务,提升工作效率。
0· 77·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill claims end-to-end booking, corporate payment and expense submission but provides no credentials, no integration details, and its code is only a local stub — the design is internally inconsistent and warrants caution.
评估建议
This skill's claims (auto-search, corporate payment, auto-submit expense) require access to payment and booking APIs, but the package declares no credentials or endpoints and its code is only a local stub. Before installing or enabling it: 1) Ask the author for exact integration details (which APIs, endpoints, and what credentials are required). 2) Require explicit env vars or config for each external service and ensure they follow least privilege. 3) Verify where payments would be charged and w...详细分析 ▾
⚠ 用途与能力
The skill's description promises flight/hotel booking, corporate payment and automatic expense submission — actions that normally require API keys, payment credentials, and service endpoints. However the skill declares no required environment variables, no config paths, and no external integration details. That mismatch (high-privilege operations with zero declared credentials) is incoherent.
⚠ 指令范围
SKILL.md gives a high-level, end-to-end workflow and states the Agent will perform everything automatically, but provides no specific commands, endpoints, or safeguards. The instructions are vague and grant broad discretion to the agent ('全程由 Agent 自动执行,无需人工干预'), which could cause the agent to use any available connectors or credentials unless constrained.
✓ 安装机制
There is no install spec (instruction-only style) and the included script is a small local stub that logs and returns simulated IDs. No downloads or external installers are present, which is the lowest-risk install mechanism.
⚠ 凭证需求
Given the claimed capability (booking + corporate payment + expense submission), one would expect required env vars or credential configuration (e.g., travel API keys, corporate payment account, expense system token). The skill requests none, which is disproportionate and inconsistent with its stated purpose.
ℹ 持久化与权限
The skill is not forced-always and allows normal autonomous invocation. Autonomous invocation plus the skill's claim to perform payments could be risky if the agent has access to corporate payment tokens or external connectors — but the skill itself does not request persistent privileges or modify system configs.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install overseas-business-trip
镜像加速npx clawhub@latest install overseas-business-trip --registry https://cn.longxiaskill.com