round-trip

Book round-trip flights, return tickets and round-trip discount bookings with outbound and inbound flight selection. Also supports: flight booking, hotel res...

This skill is CLI-driven and otherwise plausible for searching round-trip flights, but there are several red flags you should consider before installing or using it: - Incoherent parameters: The SKILL.md insists a return/back date must be used for round-trip searches, but the parameter list and nearly all example commands do not include any --back-date flag. Ask the author to clarify and correct the required parameter set before trusting results. - Source verification: The skill recommends installing @fly-ai/flyai-cli globally via npm. That executes third-party code on your machine — verify the npm package, its maintainers, and its source repository before running npm i -g. Prefer packages with an official homepage and repository you can inspect. - Local logging/persistence: The skill may append execution logs (including user queries and parameters) to .flyai-execution-log.json in the current directory. If you plan to run it, be aware these logs may contain personal travel data; inspect and control where logs are stored or disable that behavior. - Branding mismatch: The description references 'Powered by Fliggy (Alibaba Group)' but the runtime uses a 'flyai' CLI with no homepage provided. Confirm which backend is actually being used and whether the branding is accurate. - Retry/self-test behavior: The skill forces re-execution if no [Book](...) links are present. This can cause repeated network calls; consider rate limits, API keys, or unintended repeated installs/requests. Recommended actions: ask the skill author to (1) provide a homepage/repository for the skill and the flyai CLI, (2) fix the parameter table/examples to include a documented --back-date/back-date flags for round-trips, (3) make logging optional and document what is stored, and (4) avoid forcing global npm installs or provide a vetted link to the CLI source. If you cannot verify the CLI package source and the logging behavior, avoid running the npm install or using the skill.

Type: OpenClaw Skill Name: round-trip Version: 3.2.0 The skill bundle facilitates flight searches by instructing the agent to install and execute a global NPM package (@fly-ai/flyai-cli). A significant security concern exists in SKILL.md and references/playbooks.md, where the agent is directed to construct shell commands using raw user input (e.g., --origin "{o}") without any instructions for sanitization or escaping. This pattern creates a high risk of shell command injection if a user provides crafted input containing shell metacharacters. Additionally, the runbook.md specifies writing internal execution logs to a local file (.flyai-execution-log.json) using shell redirection, which further expands the potential for command injection and unauthorized file writes.