← Back to Skills Marketplace
danshaniusha

Multi City Planner

by DanshaNiusha · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
114
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install multi-city-planner
Description
多目的地行程规划与比价工具。支持多程航班、缺口程、往返组合等多种方案对比,自动优化同国家城市连续游玩,输出标准 HTML 网页报告。
Usage Guidance
Summary of issues and recommended next steps before installing or running: 1) Expect to need a flyai API key: the docs instruct configuring FLYAI_API_KEY for flyai-cli but the skill metadata doesn't declare it. If you plan to use live flight data, create an API key on the provider and verify how the scripts consume it. Ask the author to declare required env vars. 2) Inspect the executable scripts before running: plan.js uses child_process.execSync to run scripts under scripts/*. Those scripts may call flyai-cli or make network requests — review them for any hard-coded endpoints, credentials, telemetry, or filesystem access you don’t want shared. Run the code only after manual review or in a sandbox. 3) Note the documentation/code mismatch about hiding internal details: SKILL.md forbids showing skill name/script paths/tool calls, but plan.js prints which script it runs and some HTML files include the skill name/version. If you require strict non-disclosure of the tooling/runtime details, verify and remove those printouts/footers. 4) Run in an isolated environment first: use a sandbox/container or non-privileged account, and avoid running on machines with sensitive credentials. Monitor network traffic on first runs to see what external endpoints are contacted. 5) Ask for clarifications or fixes from the publisher: request the author update the skill metadata to list required env vars (e.g., FLYAI_API_KEY), remove contradictions between SKILL.md and code output, and provide a short security/privacy note describing what data is transmitted to external services. If you want, I can: (a) scan the scripts directory for network calls and suspicious filesystem access, (b) point out exact lines that print internal info, or (c) propose minimal changes to make the metadata and SKILL.md consistent with the code.
Capability Analysis
Type: OpenClaw Skill Name: multi-city-planner Version: 1.0.0 The skill bundle contains a significant command injection vulnerability in `plan.js` and several scripts within the `scripts/` directory (e.g., `search-multi-city.js`, `compare-all.js`). These files use `child_process.execSync` to execute shell commands constructed directly from unsanitized user input (e.g., `--origin`, `--cities`), allowing for potential Remote Code Execution (RCE). Additionally, `SKILL.md` contains instructions for the AI agent to explicitly hide the tool's execution process, internal technical details, and script paths from the user, which could be used to obscure malicious activity. The presence of hardcoded local absolute paths (e.g., `/Users/dansha/liuxiaokang/...`) further indicates poor security practices.
Capability Assessment
Purpose & Capability
The skill's name/description (multi-city itinerary comparison, HTML output) align with the included JavaScript scripts and HTML templates. Requiring Node.js and referencing flyai-cli in docs is consistent with a runtime that calls an external flight data provider. However, the SKILL metadata lists no required environment variables while README/SKILL.md instruct users to configure FLYAI_API_KEY for flyai-cli — that mismatch is notable.
Instruction Scope
SKILL.md explicitly forbids exposing the skill name, script paths, tool calls, and internal technical details in generated output. Yet plan.js prints the selected script name ('使用脚本:…') before executing, and several supplied HTML files contain footer lines revealing the skill name and version. The scripts are executed via child_process.execSync (plan.js) which can run arbitrary local JS files; the runtime instructions and actual code diverge on what output is allowed to expose.
Install Mechanism
No remote install spec is provided (no downloads or archive extraction). The skill is provided as local JS files and templates and requires Node.js to run — which is proportionate. There are no installer URLs or non-standard install actions in the manifest.
Credentials
The documentation and README instruct installing flyai-cli and setting FLYAI_API_KEY, but the skill metadata declares no required env vars. Requiring an API key for a flight-data service would be reasonable, but it should be declared in requires.env and primaryEnv. The absent declaration makes it easy for that credential requirement to be overlooked or for the skill to attempt to use undocumented credentials. No other unrelated credentials are requested in the files.
Persistence & Privilege
Flags show always:false and no special OS restrictions. The skill does not request to be permanently included or to modify system/global agent configuration. It executes local scripts in its own directory and does not request elevated platform-wide privileges in the manifest.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install multi-city-planner
  3. After installation, invoke the skill by name or use /multi-city-planner
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Multi-City Planner – a comprehensive, multi-destination itinerary planning and comparison tool. - Supports multiple trip types: multi-city, open-jaw, round-trip combinations, and single-segment planning. - Compares various transport modes (flight, train, bus) with automated best-route optimization. - Outputs full-featured, standardized HTML reports with pricing tables, cards for transportation comparison, detailed day-by-day itinerary, budget tables, and 10 essential travel checklists. - Provides both a unified entry point and dedicated scripts for different regional templates. - Node.js-based, leveraging live flight data via flyai-cli.
Metadata
Slug multi-city-planner
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Multi City Planner?

多目的地行程规划与比价工具。支持多程航班、缺口程、往返组合等多种方案对比,自动优化同国家城市连续游玩,输出标准 HTML 网页报告。 It is an AI Agent Skill for Claude Code / OpenClaw, with 114 downloads so far.

How do I install Multi City Planner?

Run "/install multi-city-planner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Multi City Planner free?

Yes, Multi City Planner is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Multi City Planner support?

Multi City Planner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Multi City Planner?

It is built and maintained by DanshaNiusha (@danshaniusha); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments