← 返回 Skills 市场
mt-travel-ai
作者
Fitzwilliam Zhang
· GitHub ↗
· v1.0.2
· MIT-0
137
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install mt-travel-ai
功能描述
基于美团酒旅供给,处理旅游出行需求,包括提供酒店、机火、门票、度假等商品的查询交易能力,以及定制化旅行攻略能力,打通从“灵感启发”到“一键下单”的全链路。
安全使用建议
This skill appears to do what it claims (call a Meituan travel CLI) but has multiple security concerns you should weigh before installing or using it. Key points to consider:
- Do not paste highly sensitive tokens into chat unless you fully trust the recipient; prefer creating a limited-scope token or a separate test account for this skill.
- The skill instructs the agent to save your token in plaintext at ~/.config/meituan-travel/config.json. If you proceed, inspect that file, set strict permissions (chmod 600), and consider deleting the token when finished.
- Verify the npm package (@meituan-travel/travel-cli) before installing: check publisher identity and package source on the npm registry. Prefer installing manually yourself rather than having the agent run installs.
- Be cautious about the mandated 'passthrough' of CLI output (images/links): it may relay unexpected or sensitive content verbatim. If you use this skill in a channel you don't fully control, avoid sending secrets there.
- Ask the skill author (or maintainer) to fix inconsistencies: declare required binaries/env in the manifest, remove the requirement to paste tokens into chat (support an out-of-band secure token entry), and recommend secure storage (encrypted or OS keyring) rather than plaintext files.
If you need higher assurance, request an implementation or package audit (package source, publisher identity, and a review of the CLI) before providing real credentials.
功能分析
Type: OpenClaw Skill
Name: mt-travel-ai
Version: 1.0.2
The skill manages sensitive API tokens by instructing the agent to execute shell commands (mkdir, cat) to write configuration files to the local filesystem (~/.config/meituan-travel/config.json). It also relies on an external global NPM package (@meituan-travel/travel-cli) and presents a potential shell injection vulnerability by passing user-provided queries directly into a command-line execution string (mttravel [城市] "<query>"). While these behaviors are plausibly intended for the stated travel service functionality, the combination of direct shell manipulation and unvalidated input handling constitutes a high-risk profile.
能力标签
能力评估
Purpose & Capability
The skill's description (Meituan travel assistant) matches the runtime behavior: it uses a travel CLI and an API token to query Meituan data. However, the manifest declares no required binaries or env vars while SKILL.md requires installing and invoking an npm CLI (mttravel) and reading/writing ~/.config/meituan-travel/config.json — this mismatch between manifest and runtime instructions is an inconsistency to be aware of.
Instruction Scope
SKILL.md explicitly instructs the agent to prompt the user to paste an API token into the chat, then run shell commands to create ~/.config/meituan-travel/config.json containing that token. It also mandates absolute passthrough of CLI output (images/links) and special behavior for WeChat (call a 'message' tool). These instructions cause the agent to read/write the user's home filesystem and to relay whatever the CLI returns without filtering — increasing risk of accidental disclosure or transmission of sensitive or malicious content. There is also a contradictory emphasis ('Token is highly sensitive, do not print token in chat') paired with asking the user to paste the token into the conversation.
Install Mechanism
There is no install spec in the registry metadata, but SKILL.md instructs users/agents to run 'npm i -g @meituan-travel/travel-cli' and then use 'mttravel'. Requiring a global npm package is a moderate-risk install vector (traceable to npm package metadata if you verify it) and should be validated by the user. The manifest not listing this requirement is another inconsistency.
Credentials
The skill does not request environment variables, but it requires an API token (stored at ~/.config/meituan-travel/config.json). Having users paste tokens into chat and saving them to a plaintext file is disproportionate from a security perspective: the token could be exfiltrated via logs, conversation history, or if the agent relays CLI output. The token-handling workflow lacks guidance for scoping/revoking tokens or restricting file permissions.
Persistence & Privilege
The skill writes a persistent plaintext credential file in the user's home directory (~/.config/meituan-travel/config.json). While always:false (not force-included), this persistent storage of sensitive credentials in an obvious path is a privilege/persistence risk — especially on shared machines or if backups/agent logs include that file. The skill does not instruct encrypting the token or tightening file permissions.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mt-travel-ai - 安装完成后,直接呼叫该 Skill 的名称或使用
/mt-travel-ai触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
optimize display format
v1.0.1
optimize display rule
v1.0.0
meituan-travel Skill 1.0.0 – 初始版本上线
- 提供基于美团酒旅供给的全链路旅行助手,支持酒店、机票、火车、门票、度假、行程规划等查询与交易能力。
- 内置专属的 Token 管理和鉴权指引流程,确保用户数据安全及接口顺畅调用。
- 输出严格遵循零删减、不压缩、分数标注、图片强制内嵌、价格与数据原样直传等规范。
- 明确了适用场景边界及错误处理预案,增强用户体验。
- 针对不可用情形(网络超时、城市识别失败等)提供详细应急方案和友好提示。
元数据
常见问题
mt-travel-ai 是什么?
基于美团酒旅供给,处理旅游出行需求,包括提供酒店、机火、门票、度假等商品的查询交易能力,以及定制化旅行攻略能力,打通从“灵感启发”到“一键下单”的全链路。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 137 次。
如何安装 mt-travel-ai?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mt-travel-ai」即可一键安装,无需额外配置。
mt-travel-ai 是免费的吗?
是的,mt-travel-ai 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
mt-travel-ai 支持哪些平台?
mt-travel-ai 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 mt-travel-ai?
由 Fitzwilliam Zhang(@qy-zhang)开发并维护,当前版本 v1.0.2。
推荐 Skills