100Critical
The skill is vulnerable to prompt injection, bypass
Behavior Analysis
Mismatch detected — The skill's stated purpose claims to 'complete' the 'select/purchase' flow. However, the detailed implementation explicitly states that the 'trade API' is 'reserved' and 'currently not called'. The skill only outputs a structured JSON representing a purchase request for debugging/integration, rather than executing an actual purchase.
Claims to do
文旅素材搜索(API): > **输出格式规范** > > 智能体应先判断客户端类型,再选择对应的输出格式: > > | 客户端类型 | 判定依据 | 输出格式 | > |-----------|---------|---------| > | **桌面端 / Web**(ArkClaw、OpenClaw、浏览器等) | 默认 | HTML 表格(`<table>`、`<img>`、`<video>` 等,仅限 `index.json` 中 `html_output.tags` 声明的标签) | > | **IM 手机应用**(飞书、微信、钉钉、企业微信等) | 用户提到在飞书/微信/钉钉中使用,或上下文/系统信息表明客户端为 IM 应用 | Markdown 表格(`| col |` 语法,图片用 ``,链接用 `[text](url)`) | > > **桌面端 HTML 模式注意事项**: > - 不要将 HTML 放在代码围栏内(围栏内的标签不会被渲染,只会显示源码) > - 不要使用 `<input type="checkbox">`(静态 HTML 环境中无法交互) > - 不要使用 `<button>`(无 JS 运行环境,无法绑定事件) > - 所有媒体 URL(`<img src>`、`<video src>`)须通过下文「安全:媒体来源校验」 > > **IM 手机端 Markdown 模式注意事项**: > - 使用 Markdown 表格语法(`| col |`) > - 缩略图用 `` 或省略(手机屏幕窄时可不显示缩略图列) > - 视频预览无法内嵌,统一用 `[▶ 预览](preview_url)` 链接 > - 不要输出 HTML 标签(手机 IM 不渲染 HTML,会直接显示标签源码) > > **通用规则**: > - 选择操作通过**用户发送文本指令**完成(如「选 1,3」「购买」),智能体重新渲染带状态标记的表格 > - 注:本文档内的 HTML 模板用代码块展示以防文档渲染器误执行;智能体输出给用户时应去掉代码围栏。 > 详见下文「搜索结果展示」。
Actually does
This skill makes POST requests to a configurable API endpoint (defaulting to `https://www.data0086.com/ms-base/home/getList`) to search for cultural tourism materials, sending search parameters in the request body. It processes the JSON response, validates media URLs against a trusted list from `config.json`, and formats the results as an HTML or Markdown table for display. While it handles selection logic and prepares a JSON structure for purchase confirmation, it explicitly states it does not currently call any external trade APIs.
Skill Info
Namefengyily/culturetour-skill
Registryclawhub
Version1.0.13
PURLpkg:clawhub/fengyily/culturetour-skill@1.0.13
Downloads158
Source
SHA-2560e03a06cf104...
SHA-17508977a052b...
MD5041e2bd5e0d4...
TLSH3ff22a79cc99...
ssdeep384:1KL/rWbW...
Size34,343 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
ClawHubDocs
openclaw skills install fengyily/culturetour-skillAssessments (4)
AI Agent Traps ↗Prompt Injection Detectedcriticalprompt injection
DeBERTa classifier detected prompt injection (confidence: 0.99)
99% confidence
Unsanitized data embedded in HTML outputhighhtml injection
The agent is instructed to directly embed API response data (e.g., `{title}`, `{id}`, `{resolution}`) into raw HTML templates for display. Without explicit HTML escaping instructions, malicious content within these fields could lead to HTML injection, potentially causing defacement, phishing, or XSS in vulnerable client environments.
90% confidence
智能体输出搜索结果时,**按照以下模板逐行输出 HTML**,将 `{变量}` 替换为真实值.Direct purchase without user confirmationcriticalautonomy abuse
The skill explicitly instructs the agent to proceed with purchase actions and generate transaction requests without requiring any secondary confirmation from the user. This bypasses a critical human-in-the-loop safety mechanism, allowing direct financial actions based solely on a text command.
100% confidenceline 4
用户可「购买 1,2」直接下单,无需二次确认。
Direct output of sensitive transaction JSONmediumdata exfiltration
Upon a purchase command, the agent directly outputs a structured JSON object containing sensitive transaction details (e.g., `commodity_code`, `business_code`, `price`, `video_url`). This data, if logged or intercepted, could expose sensitive financial or product information.
80% confidenceline 344
用户发出购买指令后**直接**输出一段**批量交易请求 JSON**
Approval fatigue due to lack of confirmationmediumapproval fatigue
The explicit instruction for the agent to perform purchase actions without secondary confirmation can lead to user approval fatigue. Users may become accustomed to direct actions, increasing the risk of accidental or malicious purchases if they misinterpret a command or are socially engineered.
90% confidenceline 4
用户可「购买 1,2」直接下单,无需二次确认。
Description Mismatchmediumdescription mismatch
The skill's stated purpose claims to 'complete' the 'select/purchase' flow. However, the detailed implementation explicitly states that the 'trade API' is 'reserved' and 'currently not called'. The skill only outputs a structured JSON representing a purchase request for debugging/integration, rather than executing an actual purchase.
85% confidence
Skill header: '走通「搜索 → 列表 → 预览(HLS/MP4) → 选择/购买」'. '流程总览' section: '不在此阶段调用交易接口;购买后输出 结构化「批量交易请求」'. '交易 API(预留,暂不调用)' section: '当前默认不执行。'
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/clawhub/fengyily/culturetour-skill)HTML
<a href="https://mondoo.com/ai-agent-security/skills/clawhub/fengyily/culturetour-skill"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/fengyily/culturetour-skill.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/clawhub/fengyily/culturetour-skill.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow