← 返回 Skills 市场
ryan-zry

AI机票预订助手

作者 赵瑞宇 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
124
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install search-flight
功能描述
AI机票助手 - 实现国内航班搜索、舱位查询、预订下单、机票改期、机票退票。适用于用户询问航班、查询机票价格、提交机票订单、改期航班、退票时使用。
安全使用建议
This skill appears to implement the advertised flight search and booking flows, but I recommend caution before using it with real personal data. Specific concerns: (1) TLS verification is explicitly disabled for all HTTP requests — this makes the apiKey and passengers' PII vulnerable to man-in-the-middle attacks; (2) the SKILL.md states the apiKey is saved in ~/.fbt_auth.json but the code saves it in the system temp directory (tempfile.gettempdir()), which affects how long the key persists and who can access it; (3) despite advising not to log PII, the scripts print passenger names/phones/IDs and even raw order_data to stdout, which may be captured by application logs; (4) the code posts PII and auth tokens to an external domain (default https://app-gate.fenbeitong.com/...), so confirm you trust that service and review its privacy policy. Actions you can take before installing or using the skill: - Ask the author for the skill's homepage, provenance, and why TLS verification is disabled; require they remove ssl._create_unverified_context(). - Request they reconcile documentation vs. code for apiKey storage (explicit file path and file permissions), or change to store the key in a secure user config (home directory with appropriate permissions) and document it. - Ask for logs/printing of PII to be removed (no cleartext printing of identity numbers/phones). - If you must test, run it on an isolated system (not a shared machine), avoid using real personal data, and set FBT_API_URL to a controlled test endpoint if possible. If the author cannot justify or fix the above, treat the skill as high-risk for handling real PII.
功能分析
Type: OpenClaw Skill Name: search-flight Version: 1.0.0 The skill bundle implements a flight booking assistant that handles sensitive Personal Identifiable Information (PII), including passenger names, phone numbers, and national ID numbers. A significant security vulnerability is present in `scripts/common.py`, where SSL certificate verification is explicitly disabled via `ssl._create_unverified_context()` for all API calls to `app-gate.fenbeitong.com`. This exposes sensitive user data and authentication tokens to Man-in-the-Middle (MitM) attacks. While the behavior aligns with the stated purpose and the code includes a comment acknowledging the risk, the intentional bypass of transport security for PII and payment-related workflows is a high-risk flaw.
能力评估
Purpose & Capability
The name/description (flight search & booking) aligns with the included scripts and required binary (python3). The scripts call an external flight API and perform search/price/order/endorse/refund operations as described. However, SKILL.md claims the apiKey is saved to the user's home (~/.fbt_auth.json) while common.py actually writes/reads the auth file from the system temp directory (tempfile.gettempdir()). This mismatch can mislead users about persistence and file location.
Instruction Scope
The SKILL.md explicitly warns that PII (name, phone, id) will be POSTed to the external service — which matches the code. But several concerning instruction/behavior mismatches exist: the docs tell users not to expose PII in logs or replies, yet scripts explicitly print passenger name/phone/id and also print debug/order_data in endorse_apply.py, potentially exposing PII to stdout/logs. The code sends all business data to an external endpoint (app-gate.fenbeitong.com by default) — expected for booking, but the code disables TLS certificate verification (ssl._create_unverified_context()), which introduces MITM risk for all transmitted PII and apiKey.
Install Mechanism
No install spec is provided (instruction-only style) and only python3 is required — this is proportionate. The package does include multiple Python scripts bundled with the skill (no external downloads). There is no third-party install step that pulls remote executables (lower install risk).
Credentials
The skill requests no environment variables in its declared requirements, but common.py honors an optional FBT_API_URL environment variable to override the API endpoint — SKILL.md does not document this. The skill persists an apiKey locally (expected for authenticated API usage) but the storage location differs between documentation and code. No unrelated external credentials are requested.
Persistence & Privilege
The skill persistently saves an apiKey to disk (implemented via save_api_key/load_api_key) which is expected for an authenticated client. However, the SKILL.md says the apiKey will be stored in the user's home (~/.fbt_auth.json) while the code stores it in the system temp directory (tempfile.gettempdir(), e.g., /tmp/.fbt_auth.json) — this affects persistence and visibility of the key (temp files may be world-readable on some systems). The skill does not request elevated system privileges nor set always:true.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install search-flight
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /search-flight 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
flightAI v1.0.0 – Initial Release - Provides comprehensive AI-powered domestic flight services, including flight search, fare query, booking, rescheduling, and refund. - Supports step-by-step guidance for authentication via SMS code and apiKey before any operations. - Offers script-based commands for each feature: searching flights, querying prices, booking tickets, order management, flight change, and refund. - Clearly details required user information and privacy handling for secure bookings. - Includes contextual parameter checks and result formatting requirements for user interaction.
元数据
Slug search-flight
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

AI机票预订助手 是什么?

AI机票助手 - 实现国内航班搜索、舱位查询、预订下单、机票改期、机票退票。适用于用户询问航班、查询机票价格、提交机票订单、改期航班、退票时使用。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 124 次。

如何安装 AI机票预订助手?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install search-flight」即可一键安装,无需额外配置。

AI机票预订助手 是免费的吗?

是的,AI机票预订助手 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

AI机票预订助手 支持哪些平台?

AI机票预订助手 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 AI机票预订助手?

由 赵瑞宇(@ryan-zry)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论