← Back to Skills Marketplace

Tour Compare

Name: Tour Compare
Author: liangnex

by Liang · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install tour-compare

Description

专业旅游线路对比分析，支持多平台商品链接和截图，提供价格、行程、评分等多维度智能对比与个性化推荐。

Usage Guidance

What to consider before installing or running this skill: - The code and docs match the described purpose (URL scraping, OCR, analysis), but the package will try to install node dependencies at runtime (compare.sh auto-runs npm install). Puppeteer (optional) will download Chromium; canvas/tesseract.js have native or large-assets requirements. If you run this on your machine, expect big downloads and possible native build steps. - SKILL.md contains unicode control characters (a prompt-injection signal). Treat this as suspicious: view the raw SKILL.md (hex/visible control-char safe viewer) and confirm there are no hidden instructions or data before running automated processes. - package-lock entries reference a non-standard registry mirror (registry.anpm.alibaba-inc.com). Prefer installing only from official registries or inspect package-lock and network traffic. Consider running npm install with a lockfile you trust or in a sandbox. - Do not run the demo script or compare.sh in an environment with sensitive data or unattended automation. demo.sh uses read -p and /dev/tty (interactive) which can hang or behave unexpectedly in non-interactive agents. compare.sh will install deps automatically — to avoid unexpected installs, run npm install manually after reviewing package.json and package-lock. - Run in an isolated sandbox (VM/container) or code-audit first: search for network endpoints, hard-coded URLs, exfiltration logic, or unexpected child_process.exec usage. Pay attention to any code that posts data to remote endpoints or runs arbitrary shell commands. - If you only need the comparison logic without crawling, use JSON-mode inputs (no network fetch) and avoid enabling puppeteer/optional deps. Consider disabling autonomous execution of the skill in your agent unless you reviewed/approved its behavior. - If you want to proceed, recommended steps: inspect SKILL.md raw, review src/crawler/ota-crawler.js and src/crawler/image-recognizer.js for any outbound endpoints, run npm install with a trusted registry and verify packages, and execute in a sandboxed environment.

Capability Analysis

Type: OpenClaw Skill Name: tour-compare Version: 1.0.0 The skill bundle contains several high-risk patterns, most notably hardcoded absolute file paths referencing a specific local user directory (`/Users/zihui/`) in both `SKILL.md` and `src/ui/summary-template.js`. This presents a significant risk for path traversal or local information disclosure if the agent attempts to write reports to these locations. Additionally, the use of `puppeteer` in `src/crawler/ota-crawler.js` for web scraping without robust URL sanitization introduces potential SSRF (Server-Side Request Forgery) vulnerabilities. While these issues appear to be unintentional 'lazy' coding or leftover development configurations rather than intentional data exfiltration, the combination of arbitrary file writing and network crawling capabilities makes the bundle high-risk.

Capability Assessment

✓ Purpose & Capability

Name/description (旅游线路对比) matches the included code: crawler (ota-crawler.js), OCR (image-recognizer.js), analyzer and exporter. The declared capabilities (URL fetch, screenshot OCR, JSON input, PNG export) align with the code files and package.json optional deps (puppeteer, tesseract.js, canvas). No unrelated credentials or bizarre binaries are requested.

⚠ Instruction Scope

SKILL.md and docs instruct the agent to fetch arbitrary OTA product URLs, OCR user-provided screenshots, write HTML/PNG reports to file:///Users/zihui/.openclaw/workspace/..., and run local CLI scripts. The packaged scripts (compare.sh, demo.sh) will run node src/index.js and demo.sh uses read -p /dev/tty which can block automated runs. The SKILL.md also contains unicode control chars (prompt-injection signal). Overall the instructions go beyond purely stateless text processing (they instruct network fetches, filesystem writes, and local installs) — reasonable for this tool but should be executed with care and explicit consent.

⚠ Install Mechanism

There is no declared install spec in the registry metadata, but package.json and scripts expect npm installs. compare.sh will auto-run npm install if node_modules is missing, which causes dependencies (optional deps include puppeteer and canvas) to be fetched at runtime. Puppeteer will fetch Chromium (large binary) and canvas may require system libraries. package-lock references a non-standard registry mirror (registry.anpm.alibaba-inc.com) in some entries, increasing supply-chain observation risk. No direct arbitrary remote archive downloads were found, but implicit npm installs and Chromium downloads are a non-trivial runtime action.

✓ Credentials

The skill requests no environment variables, no credentials, and no config paths in the registry metadata. The code and docs do not require API keys or other secrets. That is proportionate for a web-scraping/OCR/comparison tool. (Caveat: running npx clawhub publish examples or npx clawhub login noted in docs would require user tokens — these are optional publishing steps, not core to the skill's function.)

ℹ Persistence & Privilege

The skill is not 'always: true' and does not request elevated privileges. However it will write local report files (examples show a user-local file:// path) and the packaged demo/CLI will run npm install and write to the workspace. Autonomous invocation is allowed (default), which combined with the earlier concerns (auto-installs and prompt-injection markers) increases blast radius — consider requiring explicit user approval before running network installs or the crawler.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install tour-compare
After installation, invoke the skill by name or use /tour-compare
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

tour-compare 1.0.0 - 首次发布，提供旅游线路横向智能对比与个性化分析 - 支持主流 OTA 链接、截图 OCR、JSON 多种输入方式 - 自动识别价格、天数、团型、酒店等核心维度差异 - 输出文字分析、可视化报告及相关决策引导 - 内置避坑提醒、人群画像适配和跨目的地对比功能

Metadata

Slug tour-compare

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Tour Compare?

专业旅游线路对比分析，支持多平台商品链接和截图，提供价格、行程、评分等多维度智能对比与个性化推荐。 It is an AI Agent Skill for Claude Code / OpenClaw, with 93 downloads so far.

How do I install Tour Compare?

Run "/install tour-compare" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Tour Compare free?

Yes, Tour Compare is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Tour Compare support?

Tour Compare is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Tour Compare?

It is built and maintained by Liang (@liangnex); the current version is v1.0.0.

More Skills