← Back to Skills Marketplace
Travel Mapify
by
rudy2steiner
· GitHub ↗
· v2.2.2
· MIT-0
151
Downloads
0
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install travel-mapify
Description
Create interactive travel route maps from location names with real FlyAI hotel search. Supports AI Vision analysis of travel planning images.
Usage Guidance
Do not install or run this skill on any machine you care about without code changes. Specific risks: 1) scripts/amap-proxy.js constructs a shell command that includes user-provided query/city parameters and invokes exec — this can allow arbitrary command execution if an attacker can send crafted requests to the proxy. 2) The proxy sets CORS '*' and calls server.listen(PORT) without binding to localhost, making it network-accessible by default. 3) The package embeds a default Amap API key and claims 'no user API key required', which may leak or be abused. Recommended mitigations before using: run only in an isolated VM/container; modify amap-proxy.js to bind to 127.0.0.1 and avoid using shell exec (use a direct API client or properly escape/validate inputs); remove/discard the embedded API key and require a user-provided key; verify that required external skills (amap-maps, FlyAI CLI) are legitimate and present; inspect and run the code manually rather than allowing any automated install. If you lack the ability to review or safely sandbox code, treat this skill as unsafe.
Capability Analysis
Type: OpenClaw Skill
Name: travel-mapify
Version: 2.2.2
The skill contains a critical shell injection vulnerability in 'scripts/amap-proxy.js'. The 'handleSearch' function accepts user-controlled input from URL parameters ('query' and 'city') and concatenates them directly into a shell command string executed via 'child_process.exec', allowing for arbitrary command execution. Additionally, 'scripts/ensure_servers_running.py' performs aggressive system actions by identifying and forcefully killing processes on ports 8769 and 8780 using 'lsof' and 'os.kill'. While these appear to be poorly implemented utility features rather than intentional malware, the RCE risk via the proxy server is significant.
Capability Assessment
Purpose & Capability
The name/description (interactive maps + FlyAI hotel search + AI Vision) aligns with included code: geocoding, route generation, a hotel-search backend and vision helpers are present. However the registry metadata declares no required env vars/credentials while the code and docs reference AMAP_KEY, OPENCLAW_WORKSPACE, and require a separate amap-maps skill and FlyAI CLI — an inconsistency between declared requirements and actual implementation.
Instruction Scope
SKILL.md describes auto-starting local servers and using AI Vision for POI extraction, which matches the code. But the runtime instructions and scripts cause the skill to start network services (HTTP proxy on port 8769, hotel server port 8770, map server on 9000). The proxy accepts GET parameters and passes them directly into a shell command (via exec) without escaping — the instruction surface therefore directs the agent to run processes that access local files and execute shell commands constructed from external input, which goes beyond simple geocoding.
Install Mechanism
No install spec (instruction-only) — lower risk in that nothing is auto-downloaded. But several included Node/Python scripts will try to invoke other components (flyai CLI, amap-maps scripts). The packaged scripts assume presence of external skills/tools (amap-maps, FlyAI CLI) and would run system commands; there is no packaged, vetted installer here.
Credentials
Registry lists no required env vars, but code reads/uses OPENCLAW_WORKSPACE, attempts to discover a flyai executable, and amap-proxy.js falls back to an embedded Amap API key ('88628414733cf2ccb7ce2f94cfd680ef'). Shipping a built-in API key (and advertising 'no user key required') is questionable (quota/abuse and privacy implications). The skill does not request unrelated external credentials, but the mismatch between declared and actual env/credential use is concerning.
Persistence & Privilege
Skill is not 'always: true', but it auto-starts several HTTP services when used (map HTTP server, hotel server, Amap proxy). The Amap proxy sets Access-Control-Allow-Origin: '*' and listens with server.listen(PORT) (no host restriction), which makes it reachable from other hosts on the network. Combined with the unsafe shell exec usage, this gives the skill significant network-exposed attack surface beyond what users likely expect.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install travel-mapify - After installation, invoke the skill by name or use
/travel-mapify - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.2.2
Clean text-only input with external AI Vision workflow. Removed internal image processing, simplified to pure text input. Added proper documentation for AI Vision image analysis workflow. Fixed cross-city geocoding issues with explicit city context. Configured FlyAI API key support.
v2.2.1
Enhanced server management: servers start before POI search. Proper Amap POI integration with two-step geocoding. Removed Express.js dependency, now uses built-in Node.js HTTP server. Full portability with no absolute paths.
v2.2.0
Added automatic city detection, portable entry point, dynamic configuration, and enhanced server management
v2.1.5
Enhanced travel-mapify with Xiaohongshu optimization, AI vision recognition, real FlyAI hotel search, and automatic server management. Based on flyai-travelmapify functionality.
v1.0.0
Initial release—transform travel planning images or location lists into interactive, professional route maps.
- Supports both image (OCR) and text (comma-separated locations) inputs for POI extraction.
- Uses Amap geocoding API to obtain precise coordinates and validate locations.
- Generates interactive web maps with dual edit/view modes, route optimization, and POI management.
- Integrates real hotel search via FlyAI for live hotel prices, availability, and booking links.
- Automatically starts HTTP and hotel search servers, providing ready-to-use map outputs.
- Professional UX: enhanced notifications, responsive design, drag-and-drop, and export options.
Metadata
Frequently Asked Questions
What is Travel Mapify?
Create interactive travel route maps from location names with real FlyAI hotel search. Supports AI Vision analysis of travel planning images. It is an AI Agent Skill for Claude Code / OpenClaw, with 151 downloads so far.
How do I install Travel Mapify?
Run "/install travel-mapify" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Travel Mapify free?
Yes, Travel Mapify is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Travel Mapify support?
Travel Mapify is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Travel Mapify?
It is built and maintained by rudy2steiner (@rudy2steiner); the current version is v2.2.2.
More Skills