Description

韩国/首尔美容医美预约助手，内置 1300+ 家皮肤科/整形医院数据库（BeautsGO 平台）。支持：①按医院名或项目类型（激光/注射/整形）查询预约流程；②直接调用接口提交预约（收集人数/时间/联系方式后 POST，无需浏览器）；③打开医院详情页/价格表/在线客服；④中/英/日/泰四语言。触发场景：询问韩国美...

README (SKILL.md)

韩国医美预约指南 Skill

Name: Korean Booking
Author: beautsgo

根据用户输入的医院名称，自动匹配医院并生成完整的 BeautsGO 平台预约流程说明，同时支持打开详情页、发起咨询、直接调用接口提交预约、查看价格表。

Dependencies

npm install - 安装所有依赖

⚠️ 重要：输出规则

调用 skill 返回的文本内容，必须原文完整输出给用户，禁止重新排版、精简、合并或省略任何部分。

❌ 不得合并"iOS"和"Android"为一条
❌ 不得删除"温馨提示"部分
❌ 不得改变渠道标题、编号或 emoji
✅ 原样输出 skill 返回的 Markdown 文本，一字不改

⚠️ 重要：浏览器操作规则

打开页面操作必须通过以下脚本执行，禁止 AI 自行编写或调用 browser 工具。

操作	命令
打开医院详情页	`node api/browser/open-url.js \x3Curl>`
打开咨询客服页	`node api/browser/open-url.js \x3Cchat_url>`
打开价格表页面	`node api/browser/open-url.js \x3Cprice_url>`

chat_url 规则：从 hospital.url 提取 slug，拼接为 https://i.beautsgo.com/cn/hospital/\x3Cslug>-chat price_url 规则：从 hospital.url 提取 slug，拼接为 https://i.beautsgo.com/cn/hospital/\x3Cslug>-price

退出码说明：

0 — 成功
1 — 严重错误

⚠️ 重要：多轮对话规则

每一轮都必须调用本 skill，禁止 AI 自行使用 browser 工具操作页面。

第1轮：用户询问医院预约 → 调用 skill（query=医院名）
第2轮：用户说"打开链接" → 调用 skill（query="打开链接"，context 传入医院名）
第3轮：用户说"帮我预约" → 调用 skill（query="帮我预约"，context 传入医院名）
第4轮：用户提供预约信息（人数+时间）→ 调用 skill（query=用户输入，context 传入医院名）
第5轮：用户说"咨询客服" → 调用 skill（query="咨询客服"，context 传入医院名）
任意轮：用户询问价格/费用/多少钱 → 调用 skill（query=原始输入，context 传入医院名）

context 传递格式（必须）：

{
  "query": "2人，3月26日，13800138000",
  "lang": "zh",
  "context": {
    "resolvedHospital": {
      "name": "韩国JD皮肤科",
      "url": "https://i.beautsgo.com/cn/hospital/jd-clinic?from=skill"
    }
  }
}

功能

支持中文名、英文名、拼音、首字母缩写、别名等多种方式匹配 961 家医院
生成包含 App Store / Google Play / 微信小程序 / 微信公众号 / 网页端五大渠道的预约流程
自动生成搜索关键词（中文名、英文名、拼音、首字母）
支持中/英/日/泰四语言
打开医院详情页、咨询对话页、价格表页
直接调用 API 接口提交预约（无需浏览器，收集人数/时间/联系方式后直接 POST）

调用方式 - 多轮对话流程

第1轮：用户询问预约流程

输入：

{ "query": "JD皮肤科怎么预约", "lang": "zh" }

输出示例：

[预约流程详细说明...]

---
💡 接下来，选择你想要的操作：
• "打开链接" → 打开医院详情页
• "帮我预约" → 收集预约信息（人数/时间/联系方式），直接调用接口提交，**不打开浏览器**
• "咨询客服" → 打开在线客服页

第2轮：打开链接（详情页）

输入： { "query": "打开链接" }

执行： node api/browser/open-url.js \x3Chospital.url>

输出： ✅ 已打开 XXX 的页面，介绍页面内容及后续操作

第3轮：帮我预约（收集预约信息 → 接口提交）

输入： { "query": "帮我预约" }

⚠️ 不打开浏览器，不打开任何页面。直接询问用户预约信息，收集后调用接口提交。

输出：

好的，帮你预约 **XXX** 🏥

📝 请告诉我以下信息，我直接帮你提交预约：
1. 预约人数（例如：1人、2人）
2. 预约时间（例如：3月26日）
3. 时间段（上午 / 下午 / 全天，默认全天）
4. 联系方式（手机号）

👉 直接回复，例如："2人，3月26日下午，13800138000"

第4轮：接口提交预约

输入： { "query": "2人，3月26日下午，13800138000" }

执行： 调用 POST https://api.yestokr.com/api/Appointment/saveFromSkill

{
  "contact": "13800138000",
  "expected_time": "2026-03-26 下午",
  "project_type": "",
  "d_id": "",
  "h_id": 250,
  "p_id": "",
  "num": 2,
  "source_type": "skill"
}

输出（成功）：

✅ 预约已提交！

📋 预约信息摘要：
• 🏥 机构：韩国JD皮肤科
• 👥 人数：2 人
• 📅 时间：2026-03-26 下午
• 📞 联系方式：13800138000

第5轮：咨询客服

输入： { "query": "咨询客服" }

执行： node api/browser/open-url.js \x3Cchat_url>

chat_url = https://i.beautsgo.com/cn/hospital/\x3Cslug>-chat，从 hospital.url 自动推导

输出： ✅ 已打开 XXX 的在线客服对话页面

任意轮：查看价格表

输入： { "query": "JD皮肤科价格多少" } 或 { "query": "查价格" }（结合 context 中的医院信息）

执行： node api/browser/open-url.js \x3Cprice_url>

price_url = https://i.beautsgo.com/cn/hospital/\x3Cslug>-price，从 hospital.url 自动推导

输出： ✅ 已打开 XXX 的价格表页面

数据

医院数据：data/hospitals.json（961条）
预约流程模板：templates/booking.tpl
多语言文本：i18n/\x3Clang>.json

新增医院只需在 hospitals.json 中添加记录，无需修改代码。

Usage Guidance

What to consider before installing: - Trust and provenance: The skill bundles a large hospital DB and code but has no homepage or clear publisher metadata. Confirm you trust the author/platform (BeautsGO / api.yestokr.com). Prefer only installing skills from verified sources. - Browser automation risks: The skill launches a real browser (Playwright) with flags that disable web security and bypass CSP, and grants clipboard/geolocation permissions. This increases the ability of in-page scripts to do things that would normally be blocked. If you run this on a machine that contains sensitive data or credentials, consider sandboxing or running in an isolated environment. - Automatic submission and payment risk: The code can auto-fill forms and click buttons including '去付款'/'去下单'. Even if the SKILL.md asserts bookings go via an API, the skill contains browser form-submission flows — test carefully to ensure it will not trigger unintended payments. - Context scanning and data exposure: The resolver will recursively scan context fields (strings) to find hospital names; if your agent context contains other private text (emails, session tokens, notes), the skill may read and use that text when resolving hospitals. Avoid passing sensitive data in context if you enable the skill. - Prompt‑injection indicators: The SKILL.md contains patterns consistent with prompt-injection (base64 and unicode control characters) and also enforces strict output rules. This is unusual and warrants caution. Ask the author to explain why those constructs are present and to remove any hidden/encoded instructions. - Practical mitigations: Run the skill in an isolated environment first, review and run a security audit of the repository if possible, and test booking flows with inert/test phone numbers. If you cannot verify the source or you have sensitive agent context, do not install or enable autonomous invocation. If you want, I can point out the specific lines in the code that correspond to the flagged items (web-security flags, clipboard permission, recursive context scanning, and the prompt-injection fragments) to help you ask the author for clarifications or to prepare a safer runtime configuration.

Capability Analysis

Type: OpenClaw Skill Name: korean-booking Version: 2.6.8 The skill provides legitimate Korean medical booking functionality but contains significant security vulnerabilities. Specifically, `api/browser/open-url.js` uses `child_process.exec` to open URLs without sanitization, which could lead to command injection if a URL is manipulated (e.g., via a malicious hospital slug). Additionally, `api/browser/consult.js` launches Chromium with the `--disable-web-security` flag, weakening the browser's security model. While these behaviors appear to be functional choices for automation rather than intentional malice, the lack of input validation and the use of risky browser configurations warrant a suspicious classification. IOCs include the booking API at api.yestokr.com and the platform domain i.beautsgo.com.

Capability Assessment

✓ Purpose & Capability

The code and bundled data match the declared purpose: a BeautsGO-backed booking assistant. It includes a hospitals DB, matching logic, renderer, browser automation helpers (open/consult/fill-form), and an API POST implementation to submit bookings to https://api.yestokr.com/api/Appointment/saveFromSkill — all coherent with the description.

⚠ Instruction Scope

SKILL.md contains strong runtime constraints that affect agent behavior: it mandates calling the skill in every multi-turn, forbids the agent from using other browser tools, and forces exact verbatim output. The skill's resolver.walk-through collects arbitrary string fields from the provided context (recursively up to depth 4) which can make the skill read and act on unrelated context text (risk of unintentionally using sensitive content). The SKILL.md also contains known prompt-injection patterns (base64 block and unicode control chars) which is suspicious and may indicate attempts to control agent output or behavior.

ℹ Install Mechanism

There is no explicit install spec, but package.json / package-lock.json and runtime notes require Node and heavy npm packages (playwright + chromium). That is not an external download from an unknown host, but Playwright/Chromium are large native deps and may require additional platform installs. No remote arbitrary URL downloads were found in the provided files.

⚠ Credentials

The skill does not request environment variables or external credentials (good). However the Playwright context creation sets broad capabilities that may be disproportionate: it disables web security, bypasses CSP, uses '--no-sandbox' and other flags, and grants geolocation and clipboard-read/clipboard-write permissions. Disabling web security and enabling clipboard access increases the risk surface (e.g., the automated browser could access pages/resources that would normally be blocked, and could read clipboard contents if code were added). Network permission is scoped to the BeautsGO domain and the single booking API, which aligns with purpose.

ℹ Persistence & Privilege

The skill does not request 'always' presence and does not modify other skills. SKILL.md's operational rule that every multi-turn must call the skill is an instruction to the agent, not a platform privilege — but it could cause frequent invocation and repeated access to context. Autonomous invocation is allowed (default), which is expected for skills.

Version History

v2.6.8

更新技能说明：900+ → 1300+ 皮肤科医院数据库

v2.6.7

修复 title 显示问题，确保与 Beautsgo Booking 区分

v1.0.1

v1.0.1 security hardening

v2.6.6

加 permissions/privacy/runtime 声明修复安全扫描，精炼 description 避免截断

v2.6.5

加 title/tags 字段，description 补充「美容」关键词，优化 clawhub 市场搜索命中率

v2.6.4

新增 download 意图：用户说帮我下载/下载APP 返回 iOS App Store、Google Play、APK 三个下载链接；预约流程操作建议中加入下载APP选项

v2.6.3

温和化 description，移除禁止/必须/强制等语气词，避免安全扫描误判

v2.6.2

泛意图推荐列表：用户说做脸/打玻尿酸/激光等，直接返回分类推荐；修复fill_form误触发日期词；preprocessor清洗增强

v2.6.1

fix: 优化关键词提取精度（停用词扩展、JD误匹配修复、token分词匹配）

v2.6.0

feat: 扩展触发词覆盖泛医美意图（首尔/做脸/皮肤管理等无医院名场景）；加无医院名兜底引导逻辑；修复 AI 重排版输出问题；同步 skill.json 版本号规范

v2.5.2

预约改走接口：删除浏览器自动填表，直接 POST saveFromSkill，支持日期解析

v2.5.1

新增多语言地址字段（zh_cn/en/ko_kr/ja/th），950条医院数据已补全

v2.5.0

新增价格表查询功能：支持价格/费用/多少钱等关键词，自动推导并打开对应医院价格页（/hospital/<slug>-price）

v2.4.4

修复假成功问题：日期选择失败时提前报错，不再无条件返回成功

v2.4.3

新增预约时间段选择（上午/下午/全天），修复日历日期选择和uni-app白屏问题

v2.4.2

修复自动填写表单流程：添加手机UA+Chrome flags解决uni-app白屏，修复日历日期选择器和确认按钮选择器

v2.4.1

咨询客服改为直接打开 chat URL；新增 getChatUrl() 自动从 slug 推导咨询页地址

v2.4.0

refactor: 抽离浏览器操作为独立脚本api/browser/，SKILL.md和skill.js共用同一套代码，两端行为完全一致

v2.3.0

fix: 触发描述改为兜底写法，覆盖所有韩国医美机构，不再只限JD和CNP

v2.2.9

fix Jekyll front matter and baseurl for GitHub Pages

Metadata

Slug korean-booking

Version 2.6.8

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 34

Frequently Asked Questions

What is Korean Booking?

韩国/首尔美容医美预约助手，内置 1300+ 家皮肤科/整形医院数据库（BeautsGO 平台）。支持：①按医院名或项目类型（激光/注射/整形）查询预约流程；②直接调用接口提交预约（收集人数/时间/联系方式后 POST，无需浏览器）；③打开医院详情页/价格表/在线客服；④中/英/日/泰四语言。触发场景：询问韩国美... It is an AI Agent Skill for Claude Code / OpenClaw, with 401 downloads so far.

How do I install Korean Booking?

Run "/install korean-booking" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Korean Booking free?

Yes, Korean Booking is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Korean Booking support?

Korean Booking is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Korean Booking?

It is built and maintained by BeautsGO (@beautsgo); the current version is v2.6.8.

More Skills

Korean Booking