← Back to Skills Marketplace
qunar-travel-query
by
hellllll0world
· GitHub ↗
· v1.0.0
460
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install qunar-travel-query
Description
提供去哪儿网旅游信息查询能力;当用户需要查询机票、酒店、景点门票或火车票信息时使用
Usage Guidance
This skill appears to implement Qunar travel queries, but there are two things you should check before installing or enabling it:
1) Credential mapping mismatch — The SKILL.md tells you to configure a credential named 'qunar_api_key', but the script reads an environment variable named COZE_QUNAR_API_KEY_7612643102733467667. Confirm with the platform how credentials are mapped to environment variables; if the platform does not automatically set COZE_QUNAR_API_KEY_7612643102733467667 from your 'qunar_api_key' entry, the skill will fail. Do not paste your real API Key into an arbitrary text field unless you understand where it will be stored.
2) Endpoint / exfiltration risk — The script will send your API Key in the Authorization header to whatever api_endpoint is provided. Only use official, documented Qunar endpoints. If you or the agent accidentally supply a malicious endpoint, your API Key could be leaked. Prefer hard-coding or whitelisting known official endpoints in agent logic, or restrict network egress in the runtime environment.
Additional practical steps:
- Verify the source (this package lists no homepage and the source is 'unknown'); prefer skills from known/trusted publishers.
- Confirm the runtime has the 'coze_workload_identity' dependency (or replace it with a standard requests library) and declare dependencies explicitly.
- If you must test, do so in a sandboxed environment with network controls and a test/limited API Key that can be revoked.
- If unsure, ask the skill author to (a) document exact env var name(s) the script expects, (b) declare dependencies, and (c) restrict or validate api_endpoint values.
Capability Analysis
Type: OpenClaw Skill
Name: qunar-travel-query
Version: 1.0.0
The skill is designed for legitimate travel queries but presents a Server-Side Request Forgery (SSRF) vulnerability. The `scripts/qunar_query.py` script accepts an `api_endpoint` as a direct argument and uses it to make network requests, sending the `Authorization` header containing the Qunar API key. The `SKILL.md` and `references/api_reference.md` indicate that this `api_endpoint` is dynamically determined by the AI agent, potentially influenced by user input. This design allows a malicious user to craft a prompt that directs the agent to call an arbitrary, attacker-controlled URL, leading to the exfiltration of the Qunar API key.
Capability Assessment
Purpose & Capability
The name, description, SKILL.md, script (scripts/qunar_query.py) and reference docs all align: they implement queries for flights, hotels, scenic spots and trains against Qunar APIs. The script's CLI and the documented endpoints match the stated purpose.
Instruction Scope
Instructions stay within the travel-query scope and instruct the agent to collect parameters and call the included script. However the SKILL.md allows (and requires) the agent/user to supply arbitrary api_endpoint values; the script will send the API Key in an Authorization header to whatever endpoint is provided. The credential configuration flow is described at a high level but lacks exact mapping details (see environment_proportionality).
Install Mechanism
There is no install spec (instruction-only), which minimizes install-time risk. The code imports an unusual module: 'coze_workload_identity' (from coze_workload_identity import requests). That dependency is not declared anywhere and may not be present in runtime environments, causing failures or unexpected behavior if resolved by other means.
Credentials
Metadata declares no required env vars, but the script expects a specific environment variable named COZE_QUNAR_API_KEY_7612643102733467667. SKILL.md tells users to configure a credential named 'qunar_api_key' — these names do not match. This mismatch is a red flag: either the platform will map 'qunar_api_key' -> COZE_QUNAR_API_KEY_<id> (possible but unstated), or the script will fail. Also, because the script accepts arbitrary api_endpoint values, a misconfigured or malicious endpoint could receive the API Key (exfiltration risk).
Persistence & Privilege
The skill does not request 'always: true' and will not be force-included. It does not attempt to change other skills or system configs. No elevated persistence or unusual privileges are requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install qunar-travel-query - After installation, invoke the skill by name or use
/qunar-travel-query - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
qunar-travel-query 1.0.0 初始版本发布:
- 支持通过去哪儿网开放平台 API 查询机票、酒店、景点门票和火车票信息
- 实现凭证(API Key)自动配置流程,首次使用时引导用户获取和配置
- 提供标准的参数收集、API 查询与多种结果输出格式(列表、详细、对话式)
- 包含详细使用流程、操作示例和常见问题指引
- 支持异常情况处理和个性化推荐功能
Metadata
Frequently Asked Questions
What is qunar-travel-query?
提供去哪儿网旅游信息查询能力;当用户需要查询机票、酒店、景点门票或火车票信息时使用. It is an AI Agent Skill for Claude Code / OpenClaw, with 460 downloads so far.
How do I install qunar-travel-query?
Run "/install qunar-travel-query" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is qunar-travel-query free?
Yes, qunar-travel-query is completely free (open-source). You can download, install and use it at no cost.
Which platforms does qunar-travel-query support?
qunar-travel-query is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created qunar-travel-query?
It is built and maintained by hellllll0world (@hellllll0world); the current version is v1.0.0.
More Skills