← 返回 Skills 市场
旅行助手
作者
fenbeitong-trip
· GitHub ↗
· v1.0.0
· MIT-0
92
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install fenbeitong-travel
功能描述
分贝通旅行助手 - 一站式酒店预订、机票预订服务。支持酒店搜索、房型查询、预订下单;航班搜索、舱位查询、机票预订、改期、退票。
使用说明 (SKILL.md)
分贝通旅行助手
一站式企业差旅服务,整合酒店预订和机票预订功能。
🔐 鉴权流程(必须先完成)
重要:使用任何功能前,用户必须先完成鉴权流程。鉴权成功后获得的凭证会自动保存在 ~/.fbt-auth.json 文件中,新会话会自动沿用。
鉴权步骤
步骤 1:发送验证码
用户: 分贝通登录
AI: 请输入您的手机号
用户: 13800138000
AI: ✅ 验证码已发送,请在5分钟内输入
步骤 2:验证并获取凭证
用户: 1234
AI: 🎉 认证成功!现在可以使用分贝通旅行服务了
鉴权命令
# 发送验证码
python3 scripts/auth.py send \x3C手机号>
# 验证验证码
python3 scripts/auth.py verify \x3C手机号> \x3C验证码>
# 查看鉴权状态
python3 scripts/auth.py status
🏨 酒店服务
1. 搜索酒店
触发词:订酒店、搜酒店、找酒店 + 城市/关键词
执行命令:
python3 scripts/hotel_api.py search \x3C城市> \x3C关键词> [入住日期] [退房日期]
示例:
python3 scripts/hotel_api.py search 北京市 三元桥附近 2026-03-26 2026-03-27
2. 查看房型价格
触发词:回复酒店序号(如"1")
执行命令:
python3 scripts/hotel_api.py price \x3C酒店ID> \x3C入住日期> \x3C退房日期>
3. 查看酒店详情和评论
触发词:回复"序号-详情"(如"1-详情")
执行命令:
python3 scripts/hotel_api.py detail \x3C酒店ID>
python3 scripts/hotel_api.py comment \x3C酒店ID>
4. 创建酒店订单
触发词:回复"房型序号-产品序号"(如"1-1")+ 提供入住人信息
执行命令:
python3 scripts/hotel_api.py order \x3C酒店ID> \x3C房型ID> \x3C产品ID> \x3C入住日期> \x3C退房日期> \x3C总价> \x3C入住人姓名> \x3C入住人手机号>
5. 查询/取消酒店订单
触发词:查看订单、取消订单
执行命令:
python3 scripts/hotel_api.py query_order \x3C订单ID>
python3 scripts/hotel_api.py cancel_order \x3C订单ID> [取消原因]
✈️ 机票服务
1. 搜索航班
触发词:某地到某地航班、查机票、搜航班 + 日期
执行命令:
python3 scripts/flight_search.py \x3C出发城市> \x3C到达城市> \x3C日期>
示例:
python3 scripts/flight_search.py 北京 上海 2026-04-02
2. 查看舱位价格
触发词:查看航班详情、这个航班的舱位
执行命令:
python3 scripts/flight_price.py \x3C出发机场三字码> \x3C到达机场三字码> \x3C日期> \x3C航班号>
示例:
python3 scripts/flight_price.py PEK SHA 2026-04-02 CA1501
3. 查看退改规则(可选)
触发词:退改规则、行李额、这个舱位的政策
执行命令:
python3 scripts/flight_guest_rule.py \x3C舱位编号>
4. 创建机票订单
触发词:订这个、预订、下单 + 乘客信息
执行命令:
python3 scripts/flight_order.py \x3C舱位编号> \x3C乘客姓名> \x3C乘客手机号> \x3C乘客证件号>
示例:
python3 scripts/flight_order.py 1 "张三" "13800138000" "110101199001011234"
5. 查询/取消机票订单
执行命令:
python3 scripts/flight_order_detail.py \x3C订单ID>
python3 scripts/flight_cancel.py \x3C订单ID>
6. 改期
触发词:改期、改签、换航班
执行命令:
# 搜索可改期的航班
python3 scripts/flight_endorse_search.py \x3C订单ID> \x3C改期日期>
# 查看改期价格
python3 scripts/flight_endorse_price.py \x3C订单ID> \x3C改期日期> \x3C新航班号>
# 提交改期申请
python3 scripts/flight_endorse_apply.py \x3C舱位编号> \x3C订单ID>
7. 退票
触发词:退票
执行命令:
# 查询退票费
python3 scripts/flight_refund_fee.py \x3C订单ID>
# 提交退票申请(需用户确认退票费)
python3 scripts/flight_refund_apply.py \x3C订单ID> \x3C退票金额>
📋 完整示例
酒店预订流程
用户: 预订北京三元桥附近的酒店 明日入住
AI: [展示酒店列表表格]
回复序号查看房型价格
用户: 3
AI: [展示房型和价格表格]
回复"房型序号-产品序号"预订
用户: 1-1 郜文彬 1348879748
AI: ✅ 订单创建成功!
订单号: xxx
[支付链接]
机票预订流程
用户: 4月2日北京到上海的航班
AI: [展示航班列表表格]
回复航班号查看舱位
用户: CA1501
AI: [展示舱位价格表格]
回复"舱位编号"预订
用户: 订第1个 张三 13800138000 110101199001011234
AI: ✅ 订单创建成功!
订单号: xxx
[支付链接]
⚠️ 重要注意事项
-
PII 安全:乘客姓名、手机号、证件号等个人信息仅在预订时发送至服务,不会在日志中暴露
-
日期格式:所有日期均为 YYYY-MM-DD
-
强制确认:
- 下单时必须索取乘客/入住人信息
- 退票时必须让用户确认退票费用
-
数据准确性:展示结果必须基于脚本输出的原始数据,不得修改或编造
-
统一鉴权:酒店和机票共用同一套鉴权系统,一次登录即可使用所有服务
📁 文件结构
fbt-travel/
├── SKILL.md # 技能说明文档
├── skill.json # 技能元数据
├── scripts/
│ ├── auth.py # 统一鉴权
│ ├── common.py # 公共函数
│ ├── hotel_api.py # 酒店API封装
│ ├── flight_search.py # 航班搜索
│ ├── flight_price.py # 舱位价格
│ ├── flight_order.py # 机票下单
│ ├── flight_order_detail.py # 订单详情
│ ├── flight_cancel.py # 取消订单
│ ├── flight_endorse_*.py # 改期相关
│ └── flight_refund_*.py # 退票相关
└── references/
└── HOTEL_API.md # 酒店API规范
📝 格式化输出模块
文件位置:scripts/formatter.py
展示配置
| 配置项 | 默认值 | 说明 |
|---|---|---|
| FLIGHT_LIST_LIMIT | 5 | 航班列表展示数量 |
| SEAT_LIST_LIMIT | 5 | 每个航班展示的舱位数量 |
格式化函数
from scripts.formatter import (
format_flight_list, # 航班列表格式化
format_seat_list, # 舱位价格格式化
format_order_result, # 订单创建结果格式化
format_baggage_info, # 行李额格式化
format_refund_rule, # 退改规则格式化
format_order_status # 订单状态格式化
)
展示字段规范
航班列表必须包含:
- 序号、航班号、航司、时间、航线、机型、最低价
舱位价格必须包含:
- 序号、舱位名称、舱位代码、折扣、票价、机建、燃油、总价、余座
订单详情必须包含:
- 订单号、航班信息、舱位信息
- 票价明细(票价+机建+燃油)
- 行李额(托运+手提)
- [立即支付] 按钮
版本历史
| 版本 | 日期 | 变更说明 |
|---|---|---|
| 1.1.0 | 2026-03-25 | 新增格式化输出模块,固化展示逻辑 |
| 1.0.0 | 2026-03-25 | 合并酒店和机票技能包,统一鉴权流程 |
安全使用建议
This skill appears to implement the travel features it advertises, but review these issues before installing or using with sensitive accounts:
- PII exposure: Several scripts print or persist personal data (names, phone numbers, identity numbers, ticket IDs) to stdout and to JSON files in your home directory. The SKILL.md claim that PII won't appear in logs is contradicted by the code. If you install, assume these files may contain PII and protect them (permissions, encryption, or delete after use).
- Token storage: The skill saves authentication tokens to a predictable file (~/.fbt-auth.json). Treat that file as sensitive. If you don't want credentials on disk, do not use this skill or modify it to store tokens securely (e.g., OS keyring).
- Hard-coded token: hotel_api.py contains a DEFAULT_ACCESS_TOKEN constant. That may be a test credential; it could allow unauthenticated calls or leak a shared token. Confirm with the vendor or remove it.
- Shell/command injection risk: travel_api.py uses os.system with joined argument strings. If inputs are not sanitized (e.g., an attacker-controlled string containing shell metacharacters), a command injection is possible. Prefer invoking Python modules directly (import + function call) or use subprocess with argument lists.
- Endpoint trust: All network calls go to app-gate.fenbeitong.com. Verify that this is the intended official endpoint and that you trust that service before sending personal data.
- Review missing files: Some files were truncated in the listing (common.py and others). Inspect common.py for how API calls are constructed, how secrets are handled, and whether any unexpected outbound endpoints exist.
Recommendations:
1) Inspect common.py and any remaining scripts before use.
2) Remove or rotate hard-coded tokens and avoid using production credentials until satisfied. 3) If you must use it, run in a restricted environment (non-root user, isolated VM/container) and restrict access to the saved auth/JSON files. 4) If you need stronger privacy, modify the scripts to avoid printing/storing PII and to use a secure secret store.
功能分析
Type: OpenClaw Skill
Name: fenbeitong-travel
Version: 1.0.0
The skill bundle contains several critical security vulnerabilities that could be exploited, although clear evidence of intentional malice is lacking. Specifically, `travel_api.py` is vulnerable to Remote Code Execution (RCE) because it uses `os.system()` to execute sub-scripts with unsanitized command-line arguments. Additionally, `common.py` explicitly disables SSL certificate verification via `ssl._create_unverified_context()`, making the agent susceptible to Man-in-the-Middle (MitM) attacks when communicating with `app-gate.fenbeitong.com`. The scripts also store sensitive API keys and user PII in plaintext within the user's home or temporary directories (`~/.fbt-auth.json`).
能力评估
Purpose & Capability
Name/description match the code and scripts: hotel and flight search/price/order/cancel/endorse/refund. Required binary (python3) is appropriate. No unrelated credentials or binaries are requested. Minor metadata/version mismatch observed (registry shows v1.0.0 while skill.json lists 1.1.0), which is likely bookkeeping but worth noting.
Instruction Scope
SKILL.md and scripts instruct the agent to perform authentication and to run local Python scripts which call the fenbeitong endpoints — expected for this skill. However SKILL.md claims 'PII will not be exposed in logs', yet scripts (e.g., flight_order.py, flight_order_detail.py) print passenger phone numbers and ID numbers to stdout and write booking/seat files (containing PII) to disk. That contradicts the stated privacy assurances and expands data exposure.
Install Mechanism
No install spec; only a requirements.txt (requests). All code is local Python scripts — no remote downloads or archive extraction. This is low-risk from an installation/remote-execution perspective.
Credentials
The skill requests no environment variables, which is proportional. It does persist an auth token and other data under the user's home directory (~/.fbt-auth.json and temporary JSON files for seat/order info). A DEFAULT_ACCESS_TOKEN is hard-coded in hotel_api.py (test token). Storing tokens and PII in predictable files and including a hard-coded token are privacy/security concerns even if they are functionally understandable for a travel client.
Persistence & Privilege
always:false and no system-wide config modification. The skill writes to user-writable locations (home dir and temp files) and will persist an auth token file (~/.fbt-auth.json) and saved seat/order JSON files. This is expected behavior for a client but increases attack surface and requires the user to trust the skill and the remote service.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install fenbeitong-travel - 安装完成后,直接呼叫该 Skill 的名称或使用
/fenbeitong-travel触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
分贝通旅行助手 - 一站式酒店预订、机票预订服务。支持酒店搜索、房型查询、预订下单;航班搜索、舱位查询、机票预订、改期、退票。
元数据
常见问题
旅行助手 是什么?
分贝通旅行助手 - 一站式酒店预订、机票预订服务。支持酒店搜索、房型查询、预订下单;航班搜索、舱位查询、机票预订、改期、退票。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 92 次。
如何安装 旅行助手?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install fenbeitong-travel」即可一键安装,无需额外配置。
旅行助手 是免费的吗?
是的,旅行助手 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
旅行助手 支持哪些平台?
旅行助手 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 旅行助手?
由 fenbeitong-trip(@gaogao605)开发并维护,当前版本 v1.0.0。
推荐 Skills