← Back to Skills Marketplace

Travel Swarm

Name: Travel Swarm
Author: timo2026

by Timo2026 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install travel-swarm

Description

Integrated travel planner combining FlyAI ticket prices, Gaode and Tencent map POI, Meituan food recommendations, and fallback McDonald's options.

Usage Guidance

This package appears to be a real multi-MCP travel planner, but there are multiple inconsistencies and operational risks you should check before installing: - Verify which environment variables the code actually reads. SKILL.md lists GAODE_API_KEY but code uses AMAP_API_KEY; ensure you map your keys correctly and avoid pasting unrelated secrets. Search the code for os.getenv(...) to find all expected names (e.g., AMAP_API_KEY, MINIMAX_API_KEY, FLYAI keys). - Expect the skill to make outbound network calls to FlyAI, Amap/Gaode, Tencent, Meituan and to model endpoints (minimax). Only supply API keys you trust and run the skill in an isolated environment if possible. - The repo includes scripts and docs to run a web service on port 7860 and watchdog/resurrection scripts and even a hardcoded external IP in docs. Do not blindly run startup/watchdog scripts as root; review them first and consider running under a container or sandbox. - The codebase contains unrelated-looking CNC/industrial logic and many test/dev files — this suggests code reuse. Review the code paths that handle user input and external calls (flyai_client, multi_mcp_client, minimax_client) for any unexpected data exfiltration or unknown endpoints. - If you are not comfortable auditing the code, run it in an isolated VM/container with no sensitive credentials mounted. Prefer providing per-service API keys with limited privileges and rotate them after testing. If you want, I can list the exact files that read environment variables and the exact env-var names the code expects, or scan the codebase for hardcoded external hosts and URLs to help you decide.

Capability Analysis

Type: OpenClaw Skill Name: travel-swarm Version: 1.0.0 The skill bundle contains multiple critical Remote Code Execution (RCE) vulnerabilities due to the unsafe use of `subprocess.run(shell=True)` with unsanitized user input in `backend/utils/flyai_client.py` and `shrimp_system/main_shrimp.py`. Furthermore, numerous sensitive API keys for services like Gaode Maps, Tencent Maps, and MiniMax are hardcoded throughout the codebase (e.g., in `food_nearby_api.py`, `multi_mcp_client.py`, and `real_api_client.py`). While these appear to be severe security oversights and poor coding practices rather than intentional malware, the combination of RCE vectors and leaked credentials makes the bundle highly risky for deployment.

Capability Tags

cryptorequires-oauth-token

Capability Assessment

ℹ Purpose & Capability

The code files (flyai_client, amap/meituan/tencent clients, multi_mcp, report generator) align with the stated travel-planner purpose. However, there are surprising artifacts: several socratic/engine components include CNC/industrial keyword handling (unrelated to travel) and the README/SKILL.md names of map API env vars (GAODE_API_KEY) do not match code usage (AMAP_API_KEY). These suggest code reuse or sloppy packaging rather than pure intent mismatch, but they are unexplained.

⚠ Instruction Scope

SKILL.md runtime instructions are limited (install via clawhub, set API keys), but the repo/docs contain operational instructions to run a long‑running web service on port 7860, watchdog/resurrection scripts, and a hardcoded external IP (http://47.253.101.130:7860/) in deployment docs. The code invokes external MCP endpoints and model clients (minimax), and some modules will read environment variables beyond those declared in the SKILL.md. This broad operational scope (service hosting + watchdog) is not fully reflected in the top-level skill metadata.

ℹ Install Mechanism

There is no install spec that downloads arbitrary payloads (lowest-risk install type). The bundle includes many source files and helper scripts, so installation will place code on disk and likely run a web service if followed. No external archive/URL-based install was detected, which reduces immediate supply-chain risk, but the included startup/watchdog scripts increase operational persistence once installed.

⚠ Credentials

SKILL.md lists required API keys (FLYAI_API_KEY, GAODE_API_KEY, optional TENCENT_MAP_KEY and MEITUAN_API_KEY) but the registry metadata claims 'none' for required env vars — a direct mismatch. The code expects AMAP_API_KEY in places (os.getenv('AMAP_API_KEY', '')) rather than GAODE_API_KEY, and other components (minimax_client, FlyAIClient) imply additional credentials (MINIMAX_API_KEY, etc.) not declared in SKILL.md. Asking for multiple external service keys is reasonable for this feature set, but the inconsistent naming and undocumented credential needs are a red flag: misconfiguration could leak or misroute secrets.

ℹ Persistence & Privilege

The skill does not set always:true and is user-invocable only (normal). However, the repository includes watchdog/resurrection scripts and service startup guidance to run a persistent web UI on port 7860. If a user follows those docs, the skill will become a persistent networked service. This is not inherently malicious but raises the operational blast radius in combination with networked API clients and model calls.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install travel-swarm
After installation, invoke the skill by name or use /travel-swarm
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

openclaw-travel-swarm-v8 initial release: - Integrates multi-platform travel planning with FlyAI, Gaode, Tencent, Meituan, and McDonald's fallback. - Supports real-time ticket price search (FlyAI/Fliggy). - POI verification with both Gaode and Tencent Maps. - Food recommendations via Meituan; fallback to McDonald's. - Generates map screenshots. - Requires API keys for main functions.

Metadata

Slug travel-swarm

Version 1.0.0

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Travel Swarm?

Integrated travel planner combining FlyAI ticket prices, Gaode and Tencent map POI, Meituan food recommendations, and fallback McDonald's options. It is an AI Agent Skill for Claude Code / OpenClaw, with 66 downloads so far.

How do I install Travel Swarm?

Run "/install travel-swarm" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Travel Swarm free?

Yes, Travel Swarm is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Travel Swarm support?

Travel Swarm is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Travel Swarm?

It is built and maintained by Timo2026 (@timo2026); the current version is v1.0.0.

More Skills