← Back to Skills Marketplace
通用商旅出行规划助手
by
Chaoliuzhu
· GitHub ↗
· v2.1.0
· MIT-0
187
Downloads
1
Stars
0
Active Installs
7
Versions
Install in OpenClaw
/install universal-travel-planner
Description
通用商旅出行规划技能 v1.0 · 面向所有商务出差人士。 一站式AI出行规划 + 全平台酒店比价 + HTML报告生成。 集成12306 MCP(火车票实时查询)+ 高德地图(路径规划/POI/天气)+ Web搜索(航班/酒店价格)。 支持**实时HTML报告生成**,所有预订链接真实可一键跳转。 触发条件:...
Usage Guidance
This skill appears to do what it claims (travel planning with real‑time train/map data and HTML reports), but it instructs the agent to run remote npm packages via `npx -y` at runtime and provides no source/homepage or pinned package versions. Running `npx` like this can execute arbitrary third‑party code on the agent environment. Before installing or enabling: 1) ask the publisher for source code or repository links and for pinned package versions; 2) review the source of packages named (e.g., 12306-mcp, xhs-mcp) yourself or request a vetted release; 3) avoid supplying high‑privilege or unrelated credentials; 4) if you must use it, run in an isolated/sandboxed environment or require explicit approval before the agent executes external packages; 5) prefer an implementation that uses well-known APIs with documented auth flows instead of dynamic npx execution.
Capability Analysis
Type: OpenClaw Skill
Name: universal-travel-planner
Version: 2.1.0
The travel planner skill integrates multiple external services but introduces a supply chain vulnerability by using 'npx -y' to execute unpinned MCP packages (12306-mcp, xhs-mcp) as described in SKILL.md. This pattern allows for potential remote code execution if the package names are hijacked or subject to typosquatting. While the behavior aligns with the stated purpose of travel planning and no direct evidence of intentional malice was found, the use of unverified external execution is a high-risk security flaw.
Capability Tags
Capability Assessment
Purpose & Capability
The name/description (travel planning, 12306/Gaode integration, HTML reports) align with the instructions: queries 12306 MCP, Gaode APIs, web searches, and builds HTML reports. The use of 12306-mcp and amap endpoints is coherent for real‑time train/map data.
Instruction Scope
SKILL.md instructs the agent to collect travel parameters from the user, query MCP servers, Gaode APIs, and web search results, then generate an HTML report. It does not request reading arbitrary local files or unrelated credentials. However, it explicitly tells the agent to execute dynamic npm packages (e.g., `npx -y 12306-mcp`, optional `npx -y xhs-mcp`), which gives those remote packages runtime control and broad capabilities—this expands the effective scope of what the skill can do at runtime.
Install Mechanism
There is no install spec; the runtime instructions call `npx -y <package>` to fetch and run npm packages on demand. Dynamic npx installs execute code from the npm registry, which is a moderate-to-high supply-chain risk compared with using a vetted, pinned install or known release host. No package versions are pinned and no provenance/homepage is provided.
Credentials
The skill declares no required environment variables and only lists AMAP keys as optional. Asking for map API keys (AMAP_WEB_KEY / AMAP_JSAPI_KEY / AMAP_SECURITY_CODE) is proportionate to map/weather/POI functionality. The skill does not request unrelated credentials or access to system config paths.
Persistence & Privilege
always:false and no install spec mean the skill does not demand permanent elevated presence. It does not declare modifications to other skills or system-wide settings. The main privilege concern comes from executing remote packages at runtime, not from persistence flags.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install universal-travel-planner - After installation, invoke the skill by name or use
/universal-travel-planner - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.0
首发版本:12306火车票+高德地图+酒店比价+HTML报告
v1.0.3
首发版本:12306火车票+高德地图+酒店比价+HTML报告
v2.0.0
首发版本:12306火车票+高德地图+酒店比价+HTML报告
v1.1.0
首发版本:12306火车票+高德地图+酒店比价+HTML报告
v1.0.2
优化商旅规划能力,新增高德地图路径规划
v1.0.1
修复版本冲突,补充说明文档
v1.0.0
首发版本
Metadata
Frequently Asked Questions
What is 通用商旅出行规划助手?
通用商旅出行规划技能 v1.0 · 面向所有商务出差人士。 一站式AI出行规划 + 全平台酒店比价 + HTML报告生成。 集成12306 MCP(火车票实时查询)+ 高德地图(路径规划/POI/天气)+ Web搜索(航班/酒店价格)。 支持**实时HTML报告生成**,所有预订链接真实可一键跳转。 触发条件:... It is an AI Agent Skill for Claude Code / OpenClaw, with 187 downloads so far.
How do I install 通用商旅出行规划助手?
Run "/install universal-travel-planner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 通用商旅出行规划助手 free?
Yes, 通用商旅出行规划助手 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 通用商旅出行规划助手 support?
通用商旅出行规划助手 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 通用商旅出行规划助手?
It is built and maintained by Chaoliuzhu (@chaoliuzhu); the current version is v2.1.0.
More Skills