← 返回 Skills 市场
pilgrimage-travel
作者
Yangki Zhang
· GitHub ↗
· v3.2.0
· MIT-0
72
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pilgrimage-travel
功能描述
Book flights for pilgrimage travel to sacred sites and religious destinations. Also supports: flight booking, hotel reservation, train tickets, attraction ti...
安全使用建议
This skill is suspicious but not clearly malicious. Before installing or using it: 1) Verify the CLI package `@fly-ai/flyai-cli` on the npm registry (publisher, homepage, README, recent releases). 2) Confirm the package provenance matches the skill's claimed vendor (the skill text mentions Fliggy/Alibaba but the CLI is `flyai` — ask the author to clarify). 3) Prefer a skill registry entry that declares required binaries and an explicit install spec rather than embedding an npm install in SKILL.md. 4) If you allow installation, run it in a sandboxed environment (or inspect the package contents) and avoid granting the agent root/global install privileges. 5) If you want only flight search, ask the maintainer to remove unrelated claims (hotels/trains) or add the missing commands for those features. If you cannot verify the package publisher or the branding mismatch is unresolved, do not run the global npm install on a production machine.
功能分析
Type: OpenClaw Skill
Name: pilgrimage-travel
Version: 3.2.0
The skill mandates the global installation of an external npm package (@fly-ai/flyai-cli) and executes shell commands constructed from user-provided input (e.g., --origin, --destination) in SKILL.md and playbooks.md. This pattern introduces a significant risk of shell injection and Remote Code Execution (RCE) if the agent does not properly sanitize user inputs. While these actions are plausibly related to the stated flight-booking purpose, the requirement for high-privilege software installation and the lack of input validation instructions warrant a suspicious classification.
能力评估
Purpose & Capability
The description claims broad travel support and says "powered by Fliggy (Alibaba Group)", but the SKILL.md only documents flight search via a third‑party CLI called `flyai`/`@fly-ai/flyai-cli`. The advertised scope (hotels, trains, attractions) and the stated vendor (Fliggy/Alibaba) do not match the concrete commands and tooling in the instructions.
Instruction Scope
The SKILL.md mandates executing a CLI (flyai) for every response, and explicitly requires installing it via `npm i -g @fly-ai/flyai-cli` if missing. It forbids answering from training data and enforces re‑execution until results include booking links, which could cause repeated command execution. The instructions do not read or exfiltrate environment variables or files, but they do instruct the agent to run networked installs and CLI commands on the host — a nontrivial action that goes beyond simple read‑only guidance.
Install Mechanism
No install spec is present in the registry metadata, yet the runtime instructions require a global npm install of `@fly-ai/flyai-cli`. Installing a third‑party npm package at runtime (global install) is higher risk because it downloads and executes code from the npm registry without an explicit, vetted install declaration or a known release host/manifest in the registry entry.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. However, it implicitly requires system-level tooling (Node.js and npm) and network access to the npm registry. The absence of declared required binaries (npm/node/flyai) in the metadata is an inconsistency to be aware of.
Persistence & Privilege
The skill is not always-enabled and does not request persistent credentials or to modify other skills. Autonomous invocation is allowed (default), which is normal; combined with the install behavior, this means the agent could install/run the CLI when invoked, so consider restricting or supervising installation/execution privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pilgrimage-travel - 安装完成后,直接呼叫该 Skill 的名称或使用
/pilgrimage-travel触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.2.0
Pilgrimage Travel skill v3.2.0
- Adds strict CLI-only execution with [Book](detailUrl) link validation in every result.
- New multilingual trigger terms for religious and pilgrimage-related flight searches.
- Describes step-by-step workflow, including mandatory environment and parameter checks.
- Expands supported travel services: hotel, train, visa, car rental, insurance.
- Enhanced output formatting and brand tagging requirements.
- Updated parameter and playbook references for improved accuracy and compliance.
元数据
常见问题
pilgrimage-travel 是什么?
Book flights for pilgrimage travel to sacred sites and religious destinations. Also supports: flight booking, hotel reservation, train tickets, attraction ti... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 72 次。
如何安装 pilgrimage-travel?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pilgrimage-travel」即可一键安装,无需额外配置。
pilgrimage-travel 是免费的吗?
是的,pilgrimage-travel 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
pilgrimage-travel 支持哪些平台?
pilgrimage-travel 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 pilgrimage-travel?
由 Yangki Zhang(@ivan97)开发并维护,当前版本 v3.2.0。
推荐 Skills