← Back to Skills Marketplace
分贝通旅行
by
fenbeitong-trip
· GitHub ↗
· v2.4.1
· MIT-0
110
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install travels
Description
一站式企业差旅服务,提供酒店搜索预订、机票查询预订、改期退票等全流程服务。智能需求确认、后台静默认证、表格对比展示。基于分贝通官方数据,实时准确可靠。
Usage Guidance
This skill appears to implement the travel functionality it advertises, but review these points before installing or using it with real accounts:
- PII persistence and logging: The code writes auth tokens (~/.fbt-auth.json / ~/.fbt_auth.json) and price caches (~/.fbt_price_cache.json) to your home directory and prints passenger name/phone/ID to stdout in some scripts. This contradicts the SKILL.md statement that passenger info is not logged. If you care about privacy, inspect file locations and file permissions and consider running in an isolated environment.
- Hard-coded token: hotel_api.py contains a DEFAULT_ACCESS_TOKEN constant. Treat hard-coded secrets as risky — confirm whether it's a harmless test token and rotate or remove it if you plan to use a real account.
- Shell execution risk: travel_api.py uses os.system with joined arguments. If untrusted input can reach those commands, shell injection is possible. Prefer subprocess with argument lists or sanitize inputs.
- Network endpoints: the code talks to app-gate.fenbeitong.com (matches the vendor name). If you do not trust the source, do not allow the skill network access or run it behind network monitoring.
- Mitigations: run the skill in a sandboxed environment or container, inspect and remove hard-coded secrets, set strict file permissions on created files, and review/modify code to avoid os.system and to avoid printing PII. If you cannot audit the code, treat it as untrusted and avoid supplying real passenger credentials or corporate accounts.
Capability Analysis
Type: OpenClaw Skill
Name: travels
Version: 2.4.1
The skill bundle contains several significant security vulnerabilities, although no clear evidence of intentional malice was found. Key issues include the explicit disabling of SSL certificate verification in `scripts/common.py` (using `ssl._create_unverified_context`), which exposes the agent to Man-in-the-Middle (MITM) attacks, and a potential shell injection vulnerability in `scripts/travel_api.py` where `os.system` is used with unsanitized command-line arguments. Additionally, `scripts/hotel_api.py` contains a hardcoded `DEFAULT_ACCESS_TOKEN`. While these are critical flaws, they appear to be poor security practices rather than intentional malware designed for exfiltration or persistence.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description, declared binary requirement (python3), and network endpoints (app-gate.fenbeitong.com) align with a Fenbeitong enterprise travel integration. Declared auth files (~/.fbt_auth.json, ~/.fbt-auth.json) are consistent with the described per-system authentication.
Instruction Scope
SKILL.md instructs the agent to perform silent background auth checks and strict output formatting; that is consistent. However the documentation states '乘客信息仅在预订时发送,不记录在日志', while code prints passenger name/phone/ID to stdout (e.g., flight_order.py) and persists auth tokens and price cache to files in the user's home (~/.fbt-auth.json, ~/.fbt_price_cache.json). This contradicts the 'no logging' claim and means PII/credentials may be stored on disk and appear in logs. The SKILL.md also directs running scripts with user-derived arguments; the runtime code uses os.system to invoke scripts with joined args (travel_api.py), which can be vulnerable to shell injection if inputs are not sanitized.
Install Mechanism
Instruction-only skill with a requirements.txt (requests). No external downloads or install scripts. The code bundle is provided; nothing is fetched from unknown URLs during install.
Credentials
No environment variables or unrelated credentials are requested. The skill stores auth tokens and caches under the user's home directory (expected for this purpose), but a hard-coded DEFAULT_ACCESS_TOKEN value exists in hotel_api.py (fbsk-2db251f6c8d74ce69ae3dcb82ed1055b). Hard-coded tokens in code can be a security concern (may grant access without user authentication). The code persists mobile numbers in auth files, which is PII — acceptable for a booking tool but should be clearly documented and protected.
Persistence & Privilege
The skill is not always-enabled and uses local persistent files (auth token, price cache, temp seat files) under the user home. That behavior is expected, but combined with printed PII and a default token it increases persistence of sensitive data. Autonomous invocation is allowed by default (not flagged by itself), which increases blast radius if the skill is later abused.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install travels - After installation, invoke the skill by name or use
/travels - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.4.1
##v2.4.1 Changelog
- 增加用户酒店需求智能化理解以及酒店的智能化推荐与对比
v1.0.0
分贝通旅行助手 1.0.0
- 首次发布,集成酒店预订与机票预订为一站式企业差旅服务
- 实现统一鉴权流程,一次登录即可访问所有功能
- 支持酒店搜索、房型查询、预订、订单查询与取消
- 支持航班搜索、舱位及政策查询、机票预订、退改签、订单查询与取消
- 提供详细命令行调用示例和规范化展示要求
Metadata
Frequently Asked Questions
What is 分贝通旅行?
一站式企业差旅服务,提供酒店搜索预订、机票查询预订、改期退票等全流程服务。智能需求确认、后台静默认证、表格对比展示。基于分贝通官方数据,实时准确可靠。 It is an AI Agent Skill for Claude Code / OpenClaw, with 110 downloads so far.
How do I install 分贝通旅行?
Run "/install travels" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 分贝通旅行 free?
Yes, 分贝通旅行 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 分贝通旅行 support?
分贝通旅行 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 分贝通旅行?
It is built and maintained by fenbeitong-trip (@gaogao605); the current version is v2.4.1.
More Skills