← 返回 Skills 市场
medical-tourism
作者
bufferstreamer
· GitHub ↗
· v3.2.0
· MIT-0
71
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install medical-tourism
功能描述
Book flights for medical tourism, health checkups, and overseas treatment. Also supports: flight booking, hotel reservation, train tickets, attraction ticket...
安全使用建议
This skill is suspicious because its SKILL.md directs the agent to install and run a third-party npm CLI at runtime even though the package source and required binary are not declared in the registry. Before installing or enabling it: 1) Verify the upstream package (@fly-ai/flyai-cli) on npm/js.org and inspect its homepage and code; confirm it is the official client for the claimed service (Fliggy/Alibaba). 2) Don't install globally on a production machine — test in an isolated sandbox or VM first. 3) Ask the skill author for a homepage, source repository, and details on how authentication and booking are handled (does the CLI prompt for credentials, store tokens, or require API keys?). 4) If you cannot verify the npm package and its publisher, decline or restrict the skill; installing arbitrary npm packages globally can run arbitrary code and persist on your system. 5) If you proceed, monitor network activity and filesystem changes and avoid providing sensitive credentials until you confirm the integration flow. Additional info (package homepage, code link, or publisher identity) would raise confidence and could change this assessment.
功能分析
Type: OpenClaw Skill
Name: medical-tourism
Version: 3.2.0
The skill mandates the global installation of an external NPM package (`npm i -g @fly-ai/flyai-cli`) within `SKILL.md` and `references/fallbacks.md` if the tool is not found. While this appears functional for flight searching, requiring an AI agent to install and execute arbitrary third-party binaries is a high-risk behavior that facilitates potential supply chain attacks and host environment modification. Additionally, the instructions use aggressive prompt-injection techniques to force the agent to bypass its internal knowledge and strictly follow CLI-driven execution paths.
能力评估
Purpose & Capability
The skill advertises flight/hotel/medical-tourism booking (claims 'Powered by Fliggy / Alibaba') but the runtime instructions rely on an external CLI (@fly-ai/flyai-cli) that is not declared in the registry metadata (no required binaries, no homepage or source). That mismatch (undeclared required binary + unknown upstream) is incoherent: a booking helper legitimately needs a booking API/CLI, but the registry should have declared that dependency and a trustworthy source.
Instruction Scope
SKILL.md instructs the agent to install (npm i -g @fly-ai/flyai-cli) and run flyai commands, to never answer from training data, and to re-run until every result contains a specific booking link. Those runtime actions cause network calls and global package installation and they assume the CLI will produce booking links and handle any auth — but the instructions do not specify where credentials come from or how authentication is performed. The skill also enforces strict rules (never use training data, always use CLI) that could cause the agent to attempt to install/run arbitrary code rather than gracefully degrade.
Install Mechanism
There is no declared install spec in the registry, yet the skill explicitly instructs installing a global npm package at runtime. Installing an arbitrary npm package globally can execute code on the host and persists on disk; the npm package (@fly-ai/flyai-cli) has no homepage/source listed in the skill metadata for verification. This is higher-risk than instruction-only behaviors that do not modify the host.
Credentials
The skill declares no required environment variables or credentials, which is unusual for a booking/booking-API integration (most booking flows require API keys, accounts, or OAuth). The absence of declared credentials may be explainable if the CLI handles auth interactively or via its own config, but that is not documented in SKILL.md — an information gap that reduces confidence and could hide exfiltration or unexpected auth flows.
Persistence & Privilege
Although the skill is not marked 'always', its runtime instructions install a global CLI (npm i -g), which creates persistent binaries on the host and can increase blast radius. The registry metadata did not surface this persistent install, so the skill effectively gains persisted presence without explicit declaration.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install medical-tourism - 安装完成后,直接呼叫该 Skill 的名称或使用
/medical-tourism触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.2.0
Medical tourism skill now operates exclusively via real-time CLI bookings with strict output validation.
- All responses must use real-time data from flyai CLI, never static knowledge or training data.
- Enforced `[Book](detailUrl)` link for every listed result; output with no link is invalid.
- Supports flight, hotel, train, attractions, itinerary, visa, insurance, and car rental booking, focused on medical travel scenarios.
- Handles both English and Chinese input; requires explicit parameter mapping and user confirmation when info is missing.
- Rigid output and workflow rules: CLI environment checks, step-by-step collection, execution, formatting, and output validation.
- Added brand tagging and output enrichment guidance for user results.
元数据
常见问题
medical-tourism 是什么?
Book flights for medical tourism, health checkups, and overseas treatment. Also supports: flight booking, hotel reservation, train tickets, attraction ticket... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 71 次。
如何安装 medical-tourism?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install medical-tourism」即可一键安装,无需额外配置。
medical-tourism 是免费的吗?
是的,medical-tourism 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
medical-tourism 支持哪些平台?
medical-tourism 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 medical-tourism?
由 bufferstreamer(@bufferstreamer)开发并维护,当前版本 v3.2.0。
推荐 Skills