← Back to Skills Marketplace
qy-zhang

mt-travel-ai

by Fitzwilliam Zhang · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
137
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install mt-travel-ai
Description
基于美团酒旅供给,处理旅游出行需求,包括提供酒店、机火、门票、度假等商品的查询交易能力,以及定制化旅行攻略能力,打通从“灵感启发”到“一键下单”的全链路。
Usage Guidance
This skill appears to do what it claims (call a Meituan travel CLI) but has multiple security concerns you should weigh before installing or using it. Key points to consider: - Do not paste highly sensitive tokens into chat unless you fully trust the recipient; prefer creating a limited-scope token or a separate test account for this skill. - The skill instructs the agent to save your token in plaintext at ~/.config/meituan-travel/config.json. If you proceed, inspect that file, set strict permissions (chmod 600), and consider deleting the token when finished. - Verify the npm package (@meituan-travel/travel-cli) before installing: check publisher identity and package source on the npm registry. Prefer installing manually yourself rather than having the agent run installs. - Be cautious about the mandated 'passthrough' of CLI output (images/links): it may relay unexpected or sensitive content verbatim. If you use this skill in a channel you don't fully control, avoid sending secrets there. - Ask the skill author (or maintainer) to fix inconsistencies: declare required binaries/env in the manifest, remove the requirement to paste tokens into chat (support an out-of-band secure token entry), and recommend secure storage (encrypted or OS keyring) rather than plaintext files. If you need higher assurance, request an implementation or package audit (package source, publisher identity, and a review of the CLI) before providing real credentials.
Capability Analysis
Type: OpenClaw Skill Name: mt-travel-ai Version: 1.0.2 The skill manages sensitive API tokens by instructing the agent to execute shell commands (mkdir, cat) to write configuration files to the local filesystem (~/.config/meituan-travel/config.json). It also relies on an external global NPM package (@meituan-travel/travel-cli) and presents a potential shell injection vulnerability by passing user-provided queries directly into a command-line execution string (mttravel [城市] "<query>"). While these behaviors are plausibly intended for the stated travel service functionality, the combination of direct shell manipulation and unvalidated input handling constitutes a high-risk profile.
Capability Tags
requires-oauth-token
Capability Assessment
Purpose & Capability
The skill's description (Meituan travel assistant) matches the runtime behavior: it uses a travel CLI and an API token to query Meituan data. However, the manifest declares no required binaries or env vars while SKILL.md requires installing and invoking an npm CLI (mttravel) and reading/writing ~/.config/meituan-travel/config.json — this mismatch between manifest and runtime instructions is an inconsistency to be aware of.
Instruction Scope
SKILL.md explicitly instructs the agent to prompt the user to paste an API token into the chat, then run shell commands to create ~/.config/meituan-travel/config.json containing that token. It also mandates absolute passthrough of CLI output (images/links) and special behavior for WeChat (call a 'message' tool). These instructions cause the agent to read/write the user's home filesystem and to relay whatever the CLI returns without filtering — increasing risk of accidental disclosure or transmission of sensitive or malicious content. There is also a contradictory emphasis ('Token is highly sensitive, do not print token in chat') paired with asking the user to paste the token into the conversation.
Install Mechanism
There is no install spec in the registry metadata, but SKILL.md instructs users/agents to run 'npm i -g @meituan-travel/travel-cli' and then use 'mttravel'. Requiring a global npm package is a moderate-risk install vector (traceable to npm package metadata if you verify it) and should be validated by the user. The manifest not listing this requirement is another inconsistency.
Credentials
The skill does not request environment variables, but it requires an API token (stored at ~/.config/meituan-travel/config.json). Having users paste tokens into chat and saving them to a plaintext file is disproportionate from a security perspective: the token could be exfiltrated via logs, conversation history, or if the agent relays CLI output. The token-handling workflow lacks guidance for scoping/revoking tokens or restricting file permissions.
Persistence & Privilege
The skill writes a persistent plaintext credential file in the user's home directory (~/.config/meituan-travel/config.json). While always:false (not force-included), this persistent storage of sensitive credentials in an obvious path is a privilege/persistence risk — especially on shared machines or if backups/agent logs include that file. The skill does not instruct encrypting the token or tightening file permissions.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install mt-travel-ai
  3. After installation, invoke the skill by name or use /mt-travel-ai
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
optimize display format
v1.0.1
optimize display rule
v1.0.0
meituan-travel Skill 1.0.0 – 初始版本上线 - 提供基于美团酒旅供给的全链路旅行助手,支持酒店、机票、火车、门票、度假、行程规划等查询与交易能力。 - 内置专属的 Token 管理和鉴权指引流程,确保用户数据安全及接口顺畅调用。 - 输出严格遵循零删减、不压缩、分数标注、图片强制内嵌、价格与数据原样直传等规范。 - 明确了适用场景边界及错误处理预案,增强用户体验。 - 针对不可用情形(网络超时、城市识别失败等)提供详细应急方案和友好提示。
Metadata
Slug mt-travel-ai
Version 1.0.2
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is mt-travel-ai?

基于美团酒旅供给,处理旅游出行需求,包括提供酒店、机火、门票、度假等商品的查询交易能力,以及定制化旅行攻略能力,打通从“灵感启发”到“一键下单”的全链路。 It is an AI Agent Skill for Claude Code / OpenClaw, with 137 downloads so far.

How do I install mt-travel-ai?

Run "/install mt-travel-ai" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is mt-travel-ai free?

Yes, mt-travel-ai is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does mt-travel-ai support?

mt-travel-ai is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created mt-travel-ai?

It is built and maintained by Fitzwilliam Zhang (@qy-zhang); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments