← 返回 Skills 市场

携程机票助手 - ctrip flight

Name: 携程机票助手 - ctrip flight
Author: hi-yu

作者 hiyu · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

216

总下载

当前安装

版本数

在 OpenClaw 中安装

/install ctrip-flights

功能描述

This skill should be used when the user wants to search for domestic flight tickets in China, query flight prices, find the cheapest flights, compare airline...

使用说明 (SKILL.md)

Ctrip Domestic Flight Search

Search domestic flight tickets via Ctrip's API. Provides real-time flight information including prices, airlines, schedules, aircraft types, and low-price calendars.

Prerequisites

Install the required Python package before first use:

pip install quickjs

The skill also requires the _extract/c-sign.js file bundled in the scripts/ directory.

Usage

Run the search script located at scripts/ctrip_flight.py. Both departure and arrival support city names, IATA codes, or province names. When a province is specified, all airports in that province are queried and compared automatically.

python3 scripts/ctrip_flight.py 北京 上海 2026-04-02 --md
python3 scripts/ctrip_flight.py 北京 广东 2026-04-02 --md
python3 scripts/ctrip_flight.py 浙江 云南 2026-04-05 --json

Parameters:

Arg 1: departure — city name, IATA code, or province name
Arg 2: arrival — city name, IATA code, or province name
Arg 3: departure date in YYYY-MM-DD format
Arg 4 (optional): cabin — Y = Economy (default), C = Business, F = First
--json or -j: output structured JSON
--md or -m: output Markdown tables (default)

When a province is given (e.g. "广东"), the script queries all airport cities in that province (广州, 深圳, 珠海), compares prices across routes, and recommends the cheapest option.

Examples:

python3 scripts/ctrip_flight.py 北京 上海 2026-04-02
python3 scripts/ctrip_flight.py 广州 成都 2026-04-05 C

Programmatic Usage

import sys
sys.path.insert(0, "path/to/ctrip-flight/scripts")
from ctrip_flight import search_to_region, to_json, to_markdown

# Single city or province query — province auto-expands to all airports
result = search_to_region("北京", "广东", "2026-04-02")

# result contains:
#   query.isMultiRoute  — True if province was used
#   routeSummaries      — per-route lowest price comparison
#   bestRoute           — the cheapest route overall
#   allFlights          — combined flight list from all routes

md = to_markdown(result)
js = to_json(result)

Supported Locations

Cities: 北京, 上海, 广州, 深圳, 珠海, 成都, 杭州, 温州, 宁波, 武汉, 西安, 重庆, 南京, 天津, 长沙, 三亚, 海口, 昆明, 丽江, 西双版纳, 厦门, 福州, 大连, 沈阳, 青岛, 济南, 哈尔滨, 长春, 郑州, 贵阳, 太原, 兰州, 乌鲁木齐, 南宁, 桂林, 合肥, 南昌

Provinces (auto-expand to all airport cities): 广东(广州/深圳/珠海), 浙江(杭州/温州/宁波), 福建(厦门/福州), 山东(青岛/济南), 辽宁(大连/沈阳), 海南(三亚/海口), 云南(昆明/丽江/西双版纳), 广西(南宁/桂林), 黑龙江, 吉林, 河南, 湖北, 湖南, 江苏, 江西, 安徽, 陕西, 四川, 贵州, 山西, 甘肃, 新疆

Output

Two output formats are supported:

Markdown (--md, default): Renders flight data as Markdown with tables and summary. Ideal for LLM responses and chat display.

JSON (--json): Structured JSON with query, summary, directFlights, transferFlights, and lowPriceCalendar fields. Ideal for downstream processing.

How It Works

The skill reverse-engineered Ctrip's anti-crawl protections:

sign header: MD5(transactionID + cityCode + cityCode + date)
w-payload-source header: Ctrip's c-sign.js executed via QuickJS engine
FVP cookie: Extracted from server-rendered HTML page
token header: Not required (discovered via testing)

安全使用建议

This skill mostly does what it says, but take these precautions before installing or running it: - Review the bundled scripts yourself (or have someone you trust review them). The c-sign.js file is obfuscated, so its behavior is not immediately auditable even though it's used locally to compute request headers. - Note the Python code disables TLS certificate validation (SSL_CTX.verify_mode = ssl.CERT_NONE). That weakens transport security and could enable MITM attacks if DNS or network routing is tampered with; consider re-enabling certificate checks before use. - The script writes .cookie_cache.json (cookie and generated IDs) into the scripts directory. Don’t run it in a directory with sensitive files and avoid running as a privileged user. - If you only need data and want less risk, consider calling official, documented APIs (if available) or implement your own signing after understanding the JS logic. Run the script in an isolated environment (container/VM) if you must execute it. - If you are unsure about the obfuscated JS, request a deobfuscated or audited version from the author or avoid running it.

功能分析

Type: OpenClaw Skill Name: ctrip-flights Version: 1.0.0 The skill facilitates flight searches on Ctrip by utilizing reverse-engineered anti-bot logic. It includes a heavily obfuscated JavaScript payload (scripts/_extract/c-sign.js) executed via the quickjs engine to generate required request signatures. Critically, the Python script (scripts/ctrip_flight.py) explicitly disables SSL certificate verification (ssl.CERT_NONE), introducing a significant vulnerability to Man-in-the-Middle (MITM) attacks. While these techniques are contextually aligned with web scraping, the use of obfuscated code and the intentional weakening of transport security are high-risk behaviors.

能力评估

✓ Purpose & Capability

Name/description match the shipped artifacts: a Python script that queries Ctrip flight endpoints and an included c-sign.js used to compute anti-crawl headers. The code, usage, and provided city/province lists are coherent with a flight-search skill.

ℹ Instruction Scope

SKILL.md limits runtime actions to running scripts and installing quickjs; the Python code indeed only contacts Ctrip endpoints, fetches an HTML page to extract an FVP cookie, posts search requests, and writes a local cookie cache file. However the script executes bundled, heavily obfuscated JavaScript (c-sign.js) via QuickJS to compute a payload header — that reduces transparency and makes it harder to verify exactly what the runtime JS does.

✓ Install Mechanism

No remote downloads or installers are used; it's instruction-only and requires pip install quickjs. All required code is bundled with the skill (no external arbitrary URL downloads), which is low-install risk.

ℹ Credentials

The skill requires no external credentials or environment variables (which matches its purpose). It does create and persist a local .cookie_cache.json in the script directory and generates UIDs/cookies used for requests. There are no other declared secrets, but the cookie content is stored on disk and the code disables TLS verification (see persistence of cookies and TLS concern).

✓ Persistence & Privilege

always is false; the skill only writes a local .cookie_cache.json and does not request to modify system or other skills' configurations. It runs only when invoked.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install ctrip-flights
安装完成后，直接呼叫该 Skill 的名称或使用 /ctrip-flights 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Ctrip Domestic Flight Search skill v1.0.0 - Search for domestic flight tickets in China by city, IATA code, or province, including price and schedule comparison. - Supports province input: automatically expands to all airport cities and finds the lowest prices across routes. - Offers real-time flight info with prices, airlines, schedules, and low-price calendars via Ctrip's API. - Output available as Markdown tables (default) or structured JSON. - Requires Python and the quickjs package; integrates Ctrip's anti-crawl circumvention methods.

元数据

Slug ctrip-flights

版本 1.0.0

许可证 MIT-0

累计安装 3

当前安装数 3

历史版本数 1

常见问题