← Back to Skills Marketplace

AI机票预订助手

Name: AI机票预订助手
Author: ryan-zry

by 赵瑞宇 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

124

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install search-flight

Description

AI机票助手 - 实现国内航班搜索、舱位查询、预订下单、机票改期、机票退票。适用于用户询问航班、查询机票价格、提交机票订单、改期航班、退票时使用。

Usage Guidance

This skill appears to implement the advertised flight search and booking flows, but I recommend caution before using it with real personal data. Specific concerns: (1) TLS verification is explicitly disabled for all HTTP requests — this makes the apiKey and passengers' PII vulnerable to man-in-the-middle attacks; (2) the SKILL.md states the apiKey is saved in ~/.fbt_auth.json but the code saves it in the system temp directory (tempfile.gettempdir()), which affects how long the key persists and who can access it; (3) despite advising not to log PII, the scripts print passenger names/phones/IDs and even raw order_data to stdout, which may be captured by application logs; (4) the code posts PII and auth tokens to an external domain (default https://app-gate.fenbeitong.com/...), so confirm you trust that service and review its privacy policy. Actions you can take before installing or using the skill: - Ask the author for the skill's homepage, provenance, and why TLS verification is disabled; require they remove ssl._create_unverified_context(). - Request they reconcile documentation vs. code for apiKey storage (explicit file path and file permissions), or change to store the key in a secure user config (home directory with appropriate permissions) and document it. - Ask for logs/printing of PII to be removed (no cleartext printing of identity numbers/phones). - If you must test, run it on an isolated system (not a shared machine), avoid using real personal data, and set FBT_API_URL to a controlled test endpoint if possible. If the author cannot justify or fix the above, treat the skill as high-risk for handling real PII.

Capability Analysis

Type: OpenClaw Skill Name: search-flight Version: 1.0.0 The skill bundle implements a flight booking assistant that handles sensitive Personal Identifiable Information (PII), including passenger names, phone numbers, and national ID numbers. A significant security vulnerability is present in `scripts/common.py`, where SSL certificate verification is explicitly disabled via `ssl._create_unverified_context()` for all API calls to `app-gate.fenbeitong.com`. This exposes sensitive user data and authentication tokens to Man-in-the-Middle (MitM) attacks. While the behavior aligns with the stated purpose and the code includes a comment acknowledging the risk, the intentional bypass of transport security for PII and payment-related workflows is a high-risk flaw.

Capability Assessment

ℹ Purpose & Capability

The name/description (flight search & booking) aligns with the included scripts and required binary (python3). The scripts call an external flight API and perform search/price/order/endorse/refund operations as described. However, SKILL.md claims the apiKey is saved to the user's home (~/.fbt_auth.json) while common.py actually writes/reads the auth file from the system temp directory (tempfile.gettempdir()). This mismatch can mislead users about persistence and file location.

⚠ Instruction Scope

The SKILL.md explicitly warns that PII (name, phone, id) will be POSTed to the external service — which matches the code. But several concerning instruction/behavior mismatches exist: the docs tell users not to expose PII in logs or replies, yet scripts explicitly print passenger name/phone/id and also print debug/order_data in endorse_apply.py, potentially exposing PII to stdout/logs. The code sends all business data to an external endpoint (app-gate.fenbeitong.com by default) — expected for booking, but the code disables TLS certificate verification (ssl._create_unverified_context()), which introduces MITM risk for all transmitted PII and apiKey.

✓ Install Mechanism

No install spec is provided (instruction-only style) and only python3 is required — this is proportionate. The package does include multiple Python scripts bundled with the skill (no external downloads). There is no third-party install step that pulls remote executables (lower install risk).

ℹ Credentials

The skill requests no environment variables in its declared requirements, but common.py honors an optional FBT_API_URL environment variable to override the API endpoint — SKILL.md does not document this. The skill persists an apiKey locally (expected for authenticated API usage) but the storage location differs between documentation and code. No unrelated external credentials are requested.

ℹ Persistence & Privilege

The skill persistently saves an apiKey to disk (implemented via save_api_key/load_api_key) which is expected for an authenticated client. However, the SKILL.md says the apiKey will be stored in the user's home (~/.fbt_auth.json) while the code stores it in the system temp directory (tempfile.gettempdir(), e.g., /tmp/.fbt_auth.json) — this affects persistence and visibility of the key (temp files may be world-readable on some systems). The skill does not request elevated system privileges nor set always:true.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install search-flight
After installation, invoke the skill by name or use /search-flight
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

flightAI v1.0.0 – Initial Release - Provides comprehensive AI-powered domestic flight services, including flight search, fare query, booking, rescheduling, and refund. - Supports step-by-step guidance for authentication via SMS code and apiKey before any operations. - Offers script-based commands for each feature: searching flights, querying prices, booking tickets, order management, flight change, and refund. - Clearly details required user information and privacy handling for secure bookings. - Includes contextual parameter checks and result formatting requirements for user interaction.

Metadata

Slug search-flight

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is AI机票预订助手?

AI机票助手 - 实现国内航班搜索、舱位查询、预订下单、机票改期、机票退票。适用于用户询问航班、查询机票价格、提交机票订单、改期航班、退票时使用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 124 downloads so far.

How do I install AI机票预订助手?

Run "/install search-flight" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is AI机票预订助手 free?

Yes, AI机票预订助手 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does AI机票预订助手 support?

AI机票预订助手 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created AI机票预订助手?

It is built and maintained by 赵瑞宇 (@ryan-zry); the current version is v1.0.0.

More Skills