← Back to Skills Marketplace
rudy2steiner

Travelmapify

by rudy2steiner · GitHub ↗ · v2.2.2 · MIT-0
cross-platform ⚠ suspicious
141
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install travelmapify
Description
Create interactive travel route maps from location names with real FlyAI hotel search. Supports AI Vision analysis of travel planning images.
Usage Guidance
What to consider before installing: 1) Command injection risk: scripts/amap-proxy.js builds shell commands that interpolate user-provided query/city values into a child_process exec string. If you will expose this proxy to any untrusted input or use untrusted images/text, this is a real risk. Ask the author to sanitize/escape inputs or switch to child_process.spawn with argument arrays. 2) Embedded API key & undeclared env use: the package and docs ship a default Amap API key and the code will use AMAP_KEY if present. The skill claims no required credentials but relies on AMAP_KEY, OPENCLAW_WORKSPACE and the FlyAI CLI. Prefer to supply your own Amap key via environment variable and confirm the included key is legitimate and allowed for reuse. 3) Dependency on sibling skill and local servers: the proxy calls into a relative ../amap-maps script. Installing this skill without a trusted amap-maps implementation could execute arbitrary code. Only install if you have the expected amap-maps skill from a trusted source. 4) Run in a sandbox first: test in an isolated environment (VM/container) and review the omitted scripts (hotel-search-server.py, ensure_servers_running.py, etc.) before enabling on your main system. 5) If you need this functionality but want lower risk: request the author to (a) remove embedded API keys, (b) declare required env vars and permissions, (c) avoid shell interpolation of user inputs, and (d) document exact runtime network endpoints. If the author provides that follow-up and fixes the command-exec patterns, this assessment could change to benign.
Capability Analysis
Type: OpenClaw Skill Name: travelmapify Version: 2.2.2 The skill bundle contains a critical shell injection vulnerability in 'scripts/amap-proxy.js', where user-controlled query and city parameters are passed unsanitized to 'child_process.exec'. Additionally, 'scripts/ensure_servers_running.py' implements aggressive server management by force-killing any existing processes on ports 8769 and 8780 using 'lsof' and 'os.kill'. While these behaviors are documented as part of the skill's automatic server management and geocoding functionality, the lack of input validation and the invasive process handling pose significant security risks.
Capability Assessment
Purpose & Capability
Name/description (map generation + FlyAI hotel search + AI Vision) generally align with the included code (geocoding, template generation, hotel-search server). However the registry metadata claims no required env vars/credentials while the code expects AMAP_KEY, OPENCLAW_WORKSPACE, and a FlyAI executable; it also requires an external sibling skill (amap-maps). Asking for no credentials but embedding/using an API key and depending on another skill is inconsistent and unexplained.
Instruction Scope
SKILL.md instructs the agent to auto-start HTTP/hotel servers, use the agent's AI Vision, and call Amap/FlyAI. The shipped runtime files actually start local servers, spawn subprocesses, and call into a relative 'amap-maps' skill. The amap proxy composes shell commands with user query/city values inserted directly (see scripts/amap-proxy.js), creating a command-injection risk. The skill also modifies/reads workspace paths and hunts for FlyAI binaries—behavior beyond simple map rendering.
Install Mechanism
No external install spec (instruction-only) reduces supply-chain risk, but the bundle includes multiple executable scripts (Python and Node) that will be run locally. Nothing is downloaded from arbitrary URLs, but the code will call other local tools (node, npm, flyai) and a sibling skill; that means installing/running the package still executes non-trivial code on the host.
Credentials
Registry lists no required env vars, yet code uses/reads AMAP_KEY (with a hardcoded default key in docs and Node proxy), OPENCLAW_WORKSPACE, and expects a FlyAI binary. Embedding an Amap API key in the package and using it without explicit user acknowledgement is questionable. The skill also probes PATH/npm locations to find FlyAI—unrequested environment access that should have been declared.
Persistence & Privilege
always:false (good), but the skill auto-starts local HTTP servers (default ports 9000, 8770, and requires an Amap proxy on 8769) and will keep processes running while used. This grants persistent local network presence during operation; combined with the unsafe exec behavior it increases the attack surface but is not itself a platform privilege escalation.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install travelmapify
  3. After installation, invoke the skill by name or use /travelmapify
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.2.2
Clean text-only input with external AI Vision workflow. Removed internal image processing, simplified to pure text input. Added proper documentation for AI Vision image analysis workflow. Fixed cross-city geocoding issues with explicit city context. Configured FlyAI API key support.
v2.2.1
Enhanced server management: servers start before POI search. Proper Amap POI integration with two-step geocoding. Removed Express.js dependency, now uses built-in Node.js HTTP server. Full portability with no absolute paths.
v2.2.0
Added automatic city detection, portable entry point, dynamic configuration, and enhanced server management
v2.1.5
Enhanced travelmapify with Xiaohongshu optimization, AI vision recognition, real FlyAI hotel search, and automatic server management. Matches flyai-travelmapify functionality.
Metadata
Slug travelmapify
Version 2.2.2
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 4
Frequently Asked Questions

What is Travelmapify?

Create interactive travel route maps from location names with real FlyAI hotel search. Supports AI Vision analysis of travel planning images. It is an AI Agent Skill for Claude Code / OpenClaw, with 141 downloads so far.

How do I install Travelmapify?

Run "/install travelmapify" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Travelmapify free?

Yes, Travelmapify is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Travelmapify support?

Travelmapify is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Travelmapify?

It is built and maintained by rudy2steiner (@rudy2steiner); the current version is v2.2.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments