← 返回 Skills 市场

What to Eat Today | 今天吃什么

Name: What to Eat Today | 今天吃什么
Author: pancat009

作者 Pancat009 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

281

总下载

当前安装

版本数

在 OpenClaw 中安装

/install eat-what-today-skill

功能描述

智能解决”今天吃什么”难题。根据用户地点、天气、心情、预算、就餐方式（外卖/堂食/自己做）快速推荐菜品，并附图片参考。**当用户说”今天吃什么”、”不知道吃啥”、”帮我推荐”、”想吃XX”或表达任何餐饮需求时，必须使用此技能。** 目标是少问问题、快给结果，必要时最多补问 1-2 个关键问题。

使用说明 (SKILL.md)

Eat What Today Skill

用于在对话中快速完成“吃什么”决策，避免长链路盘问。

何时使用

用户表达“今天吃什么”“不知道吃啥”“帮我推荐外卖/做饭”
用户给出任意偏好信息：地点、天气、心情、预算、时间段、是否想自己做

交互原则（重点）

先猜后问：优先从用户原话中提取偏好，不要一上来连续提问。
快速收敛：首次直接给 3 个候选 + 各自理由。
最少追问：仅在推荐分歧大时，补问最多 1-2 个问题（优先问预算上限、忌口）。
给出画面感：每个候选附一张图片路径，方便进一步发送给客户参考。
能落地：每个推荐明确适合外卖/堂食/自己做。

执行脚本

在技能目录下执行：

cd /path/to/eat-what-today-skill
python scripts/skill_cli.py "用户原话"

或使用直接调用：

python /path/to/eat-what-today-skill/scripts/skill_cli.py "用户原话"

可选覆盖参数（当你已明确拿到信息时）：

python scripts/eat_what_today.py "今天吃什么" --weather rainy --mood tired --mode takeaway --budget low --city_tag south

统一入口也支持同样参数：

python scripts/skill_cli.py "今天吃什么" --weather rainy --mood tired --mode takeaway --budget low --city_tag south

输出格式要求

先给结论：3 个菜品推荐。
每个推荐说明：推荐理由、预算档、辣度、就餐方式。
每个推荐附图片参考路径与 markdown 图片链接。
结尾给一个轻量动作建议：
- “回我 1/2/3，我给你同类不重样备选”

注意事项

不做医疗建议，不处理严重饮食禁忌诊断。
若用户明确说”别问了，直接拍板”，直接给单一最优推荐 + 1 个备选。
若用户信息极少，仍然先给推荐，再补问最多 1 个关键问题。

飞书发图片（重要！）

✅ 当前稳定方案（direct runtime 兼容）

当在 OpenClaw 飞书环境发送本地图片时：

先复制图片：将推荐菜品图片复制到工作目录：
```
/home/azureuser/.openclaw/workspace/
```
使用 media 字段发送：调用 message 工具时，使用 media 字段传递 workspace 路径
发送顺序规则（推荐列表必须遵守）：
- 一段文字说明 → 一张图 → 一段文字 → 一张图（顺序发送）
- 禁止使用 Markdown 本地路径图片（如 ![img](local/path.jpg)）
- 禁止只发文字不发图

标准结构示例（推荐 3 个菜品时）：

# 今日推荐 🍽️

## 1. 红烧肉（¥25-35）
肥而不腻，入口即化，适合雨天暖身...
[发送图片1]

## 2. 宫保鸡丁（¥20-30）
经典川菜，麻辣鲜香...
[发送图片2]

## 3. 清炒时蔬（¥12-18）
清爽解腻，营养均衡...
[发送图片3]

回复 1/2/3 继续推荐同类菜品 🚀

单张图片场景：
- 文字说明 → 立即发送对应图片
- 禁止分开发送（文字和图片必须连续）

⚠️ 禁止事项

❌ 禁止使用 Markdown 本地图片路径
❌ 禁止只发文字描述不发送实际图片
❌ 禁止一次性发送多张图片（必须逐张发送）
❌ 禁止在图片发送前插入无关内容

适用场景

此规则适用于：

OpenClaw direct runtime 环境
飞书消息推送
任何需要发送本地图片的对话场景

安全使用建议

This skill is functionally coherent for recommending dishes and providing images, but take these precautions before installing or enabling it: - Network & downloads: the image helper scrapes Bing and calls Pollinations and will save images locally. If you need to avoid external network traffic, do not run the hydrate script. - External commands: the hydrate script supports --external-ai-cmd which is executed via subprocess with shell=True. Only pass trusted commands and prefer not to accept untrusted input into that parameter to avoid command injection. - Verify images: downloaded/generated images are saved to disk; review them before forwarding to users or channels. - Image path mismatch: SKILL.md asks operators to copy images into /home/azureuser/.openclaw/workspace/ for OpenClaw runtime, but the code searches assets/foods_image in the project. Confirm how your runtime maps workspaces to the skill assets so images are discoverable and not accidentally read from unexpected locations. - Sandbox when possible: run the scripts in a controlled environment (no unnecessary permissions, limited network) until you validate behavior. If you want to proceed, consider removing or hardening the external command feature and auditing the hydrate script's download behavior.

功能分析

Type: OpenClaw Skill Name: eat-what-today-skill Version: 1.0.0 The skill bundle contains a significant command injection vulnerability in 'scripts/hydrate_food_images.py' via the use of 'subprocess.run(shell=True)' with unvalidated string formatting from the food database. While the provided 'assets/menu_db.json' currently contains benign food names, the logic allows arbitrary shell execution if the database is modified. Additionally, 'SKILL.md' includes prescriptive instructions for the AI agent to move files into a hardcoded absolute path ('/home/azureuser/.openclaw/workspace/'), which is a risky practice in multi-user or containerized environments.

能力评估

ℹ Purpose & Capability

Name and description match the included code and data: recommendation logic (scripts/eat_what_today.py), a curated menu DB (assets/menu_db.json) and image-hydration utilities. The skill is not purely instruction-only despite registry saying 'instruction-only' — it includes multiple Python scripts and an assets folder, which is coherent with its stated purpose.

⚠ Instruction Scope

SKILL.md directs the agent/operator to run the provided CLI and to copy/send local images to a specific workspace path (/home/azureuser/.openclaw/workspace/). The implementation looks for images under assets/foods_image in the project, so there is a potential mismatch between the SKILL.md's workspace instructions and the code's image lookup. The hydrate_food_images script scrapes Bing image search, calls a public Pollinations image generation endpoint, and can execute a user-provided external command — all at runtime. Those network and subprocess actions are within the feature's scope (fetching/generating images) but broaden the runtime capabilities and risk surface.

✓ Install Mechanism

No install spec (instruction-only in registry), so nothing is written during installation. However, at runtime the scripts perform network downloads (bing image scraping, Pollinations) and write files to assets/foods_image and may modify menu_db.json via the expand scripts. No opaque remote install URLs are used.

ℹ Credentials

The skill does not request environment variables or credentials. It does require network access to download or generate images and optionally runs a user-supplied external command (--external-ai-cmd). The lack of declared network requirement is not a secret leak, but the external command + shell execution increases risk if untrusted inputs are passed.

✓ Persistence & Privilege

always is false and the skill does not request elevated or global agent privileges. It writes to its own assets (assets/foods_image, assets/menu_db.json) when run. It does not modify other skills or global configuration.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install eat-what-today-skill
安装完成后，直接呼叫该 Skill 的名称或使用 /eat-what-today-skill 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Eat What Today Skill 1.0.0 - Initial release: smart dish recommendation for "What to eat today" scenarios. - Instantly recommends 3 dishes with reasons, price range, dining mode, and image paths. - Extracts user preferences (location, weather, mood, budget, dine/takeaway/cook) to minimize follow-up questions. - Strict message/image sending rules for Feishu/OpenClaw: text and one image in sequence, no Markdown local paths, always include images. - Includes fallback and concise options for users wishing for immediate, single-choice recommendations.

元数据

Slug eat-what-today-skill

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题