← Back to Skills Marketplace
fistfulayen

Skill

by fistfulayen · GitHub ↗ · v2.3.0
cross-platform ⚠ suspicious
691
Downloads
0
Stars
0
Active Installs
7
Versions
Install in OpenClaw
/install ubtrippin
Description
Manages travel for your user via UBTRIPPIN — trips, items, loyalty programs, family, city guides, events, concerts, notifications, and more. Use when the use...
Usage Guidance
Before installing, verify the ubtrippin service and publisher (check ubtrippin.xyz and the referenced GitHub repo). Be aware the skill requires you to provide a UBTRIPPIN API key (ubt_k1_...) and a registered sender email — these are not declared in the registry metadata, so treat that as a transparency gap. Consider these safety steps: (1) only supply an API key created specifically for this integration and keep it scoped/rotatable if the service supports it; (2) avoid storing the key in plaintext in long-lived agent configs; use ephemeral tokens or a secrets manager if possible; (3) understand that forwarding booking emails (with attachments) to [email protected] will transmit sensitive travel and identity data — confirm you trust the destination and its privacy policy; (4) ask the publisher to correct the registry metadata to declare required env vars and primary credential; (5) test with non-sensitive/demo data first, and be ready to revoke the API key if you see unexpected behavior.
Capability Analysis
Type: OpenClaw Skill Name: ubtrippin Version: 2.3.0 The skill bundle is classified as suspicious due to the presence of high-risk capabilities that could be exploited via prompt injection against the AI agent. Specifically, the `SKILL.md` file documents a `webhooks` API (`POST /api/v1/webhooks`) which allows the agent to configure an arbitrary URL to receive real-time event data (e.g., `trip.created`, `item.added`). This presents a significant data exfiltration risk, as a compromised agent could be instructed to send sensitive user travel data to an attacker-controlled server. Additionally, the `GET /api/v1/me/loyalty/export` endpoint allows for bulk export of sensitive loyalty program data, which could also be exfiltrated if the agent is maliciously prompted. These are legitimate API features, but their exposure to an AI agent creates a critical vulnerability.
Capability Assessment
Purpose & Capability
The skill's declared registry metadata lists no required environment variables or primary credential, but SKILL.md and example scripts clearly require a UBTRIPPIN API key (ubt_k1_...) and the user's registered sender email for forwarding bookings. Functionally the requests (trips, items, loyalty, email parsing) align with a travel manager, but the metadata omission is an incoherence that hides the need for a sensitive API key and a verified sender email.
Instruction Scope
Runtime instructions include forwarding booking confirmation emails (including PDF attachments) from the user's registered email address to [email protected] and calling the service with a Bearer token. Forwarding/processing emails and attachments may expose sensitive personal data (tickets, PII). The SKILL.md also tells the agent to store the API key (agent config or TOOLS.md). The instructions do not describe how the agent obtains permission or access to send emails from the user's address, which is a scope creep/risk if the agent attempts mailbox access or automated forwarding.
Install Mechanism
No install spec; this is an instruction-only skill with example scripts. No downloads, extracts, or third-party packages are installed by the skill bundle itself.
Credentials
The skill requires a UBTRIPPIN API key and the user's registered sender email to operate, yet the registry metadata declares no required env vars or primary credential. That mismatch is concerning because it hides that a secret (API key) must be supplied and may be stored persistently. The number and sensitivity of the secrets requested is proportionate to the service if declared explicitly, but the metadata omission reduces transparency.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. However SKILL.md explicitly recommends storing the UBTRIPPIN API key in agent config or TOOLS.md, which would persist the secret in the agent environment — a normal installation behavior but a persistent sensitive artifact the user should manage (rotate/revoke when needed).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install ubtrippin
  3. After installation, invoke the skill by name or use /ubtrippin
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.3.0
PRD-026 complete: full API coverage
v2.2.0
Add ticket/event kind
v2.1.1
Lite version for context-constrained agents, profile setup step, ?status=upcoming example
v2.1.0
Comprehensive item creation docs — full field schema, examples for every booking type, batch operations, agent tips
v2.0.1
Updated README with install troubleshooting, _meta.json with correct version, homepage link to www
v2.0.0
Full API coverage
v1.0.0
UBTRIPPIN skill initial release. - Lets you view and manage upcoming trips, bookings, and travel details by connecting with the UBTRIPPIN API. - Supports reading all user trips, viewing trip itineraries (flights, hotels, trains, etc.), and detailed item info. - New bookings are added by forwarding confirmation emails from the user’s registered sender address. - Includes setup, API authentication, error handling, and usage instructions for typical travel management tasks. - Requires a UBTRIPPIN API key and the user's registered sender email.
Metadata
Slug ubtrippin
Version 2.3.0
License
All-time Installs 0
Active Installs 0
Total Versions 7
Frequently Asked Questions

What is Skill?

Manages travel for your user via UBTRIPPIN — trips, items, loyalty programs, family, city guides, events, concerts, notifications, and more. Use when the use... It is an AI Agent Skill for Claude Code / OpenClaw, with 691 downloads so far.

How do I install Skill?

Run "/install ubtrippin" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill free?

Yes, Skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Skill support?

Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill?

It is built and maintained by fistfulayen (@fistfulayen); the current version is v2.3.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments