← Back to Skills Marketplace
pilgrimage-travel
by
Yangki Zhang
· GitHub ↗
· v3.2.0
· MIT-0
72
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install pilgrimage-travel
Description
Book flights for pilgrimage travel to sacred sites and religious destinations. Also supports: flight booking, hotel reservation, train tickets, attraction ti...
Usage Guidance
This skill is suspicious but not clearly malicious. Before installing or using it: 1) Verify the CLI package `@fly-ai/flyai-cli` on the npm registry (publisher, homepage, README, recent releases). 2) Confirm the package provenance matches the skill's claimed vendor (the skill text mentions Fliggy/Alibaba but the CLI is `flyai` — ask the author to clarify). 3) Prefer a skill registry entry that declares required binaries and an explicit install spec rather than embedding an npm install in SKILL.md. 4) If you allow installation, run it in a sandboxed environment (or inspect the package contents) and avoid granting the agent root/global install privileges. 5) If you want only flight search, ask the maintainer to remove unrelated claims (hotels/trains) or add the missing commands for those features. If you cannot verify the package publisher or the branding mismatch is unresolved, do not run the global npm install on a production machine.
Capability Analysis
Type: OpenClaw Skill
Name: pilgrimage-travel
Version: 3.2.0
The skill mandates the global installation of an external npm package (@fly-ai/flyai-cli) and executes shell commands constructed from user-provided input (e.g., --origin, --destination) in SKILL.md and playbooks.md. This pattern introduces a significant risk of shell injection and Remote Code Execution (RCE) if the agent does not properly sanitize user inputs. While these actions are plausibly related to the stated flight-booking purpose, the requirement for high-privilege software installation and the lack of input validation instructions warrant a suspicious classification.
Capability Assessment
Purpose & Capability
The description claims broad travel support and says "powered by Fliggy (Alibaba Group)", but the SKILL.md only documents flight search via a third‑party CLI called `flyai`/`@fly-ai/flyai-cli`. The advertised scope (hotels, trains, attractions) and the stated vendor (Fliggy/Alibaba) do not match the concrete commands and tooling in the instructions.
Instruction Scope
The SKILL.md mandates executing a CLI (flyai) for every response, and explicitly requires installing it via `npm i -g @fly-ai/flyai-cli` if missing. It forbids answering from training data and enforces re‑execution until results include booking links, which could cause repeated command execution. The instructions do not read or exfiltrate environment variables or files, but they do instruct the agent to run networked installs and CLI commands on the host — a nontrivial action that goes beyond simple read‑only guidance.
Install Mechanism
No install spec is present in the registry metadata, yet the runtime instructions require a global npm install of `@fly-ai/flyai-cli`. Installing a third‑party npm package at runtime (global install) is higher risk because it downloads and executes code from the npm registry without an explicit, vetted install declaration or a known release host/manifest in the registry entry.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. However, it implicitly requires system-level tooling (Node.js and npm) and network access to the npm registry. The absence of declared required binaries (npm/node/flyai) in the metadata is an inconsistency to be aware of.
Persistence & Privilege
The skill is not always-enabled and does not request persistent credentials or to modify other skills. Autonomous invocation is allowed (default), which is normal; combined with the install behavior, this means the agent could install/run the CLI when invoked, so consider restricting or supervising installation/execution privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pilgrimage-travel - After installation, invoke the skill by name or use
/pilgrimage-travel - Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.2.0
Pilgrimage Travel skill v3.2.0
- Adds strict CLI-only execution with [Book](detailUrl) link validation in every result.
- New multilingual trigger terms for religious and pilgrimage-related flight searches.
- Describes step-by-step workflow, including mandatory environment and parameter checks.
- Expands supported travel services: hotel, train, visa, car rental, insurance.
- Enhanced output formatting and brand tagging requirements.
- Updated parameter and playbook references for improved accuracy and compliance.
Metadata
Frequently Asked Questions
What is pilgrimage-travel?
Book flights for pilgrimage travel to sacred sites and religious destinations. Also supports: flight booking, hotel reservation, train tickets, attraction ti... It is an AI Agent Skill for Claude Code / OpenClaw, with 72 downloads so far.
How do I install pilgrimage-travel?
Run "/install pilgrimage-travel" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is pilgrimage-travel free?
Yes, pilgrimage-travel is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does pilgrimage-travel support?
pilgrimage-travel is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created pilgrimage-travel?
It is built and maintained by Yangki Zhang (@ivan97); the current version is v3.2.0.
More Skills