← 返回 Skills 市场
seasonal-flight
作者
Yangki Zhang
· GitHub ↗
· v3.2.0
· MIT-0
44
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install seasonal-flight
功能描述
Search seasonal flights, summer routes, winter schedules and holiday charter with seasonal flight deals. Also supports: flight booking, hotel reservation, tr...
安全使用建议
This skill is coherent for a CLI-driven flight search, but you should not blindly allow it to install or run external software. Before installing or enabling the skill: 1) Verify the @fly-ai/flyai-cli npm package provenance — check the package page, publisher, GitHub repo, reviews, and whether it is maintained by a trusted organization. 2) Prefer installing the CLI yourself in a controlled environment (container, VM, or user account) rather than letting an agent run a global `npm i -g` (avoid `sudo` installs). 3) Be aware the skill may write a local `.flyai-execution-log.json` containing queries and CLI output; review and control where logs are stored. 4) Confirm that booking links (detailUrl) returned by the CLI go to legitimate vendor sites before clicking. If you cannot validate the flyai CLI's trustworthiness, avoid installing it or run the CLI manually and paste sanitized outputs to the agent instead.
功能分析
Type: OpenClaw Skill
Name: seasonal-flight
Version: 3.2.0
The skill requires the agent to perform global NPM installations (`npm i -g @fly-ai/flyai-cli`) and explicitly suggests using `sudo` if the installation fails, which are high-privilege operations. Furthermore, the instructions in `SKILL.md` and `playbooks.md` direct the agent to construct and execute shell commands using user-provided input (e.g., origin, destination, and dates) without explicit sanitization, creating a significant risk of command injection (RCE). While these behaviors are aligned with the stated purpose of providing a CLI-based flight search tool, the requirement for elevated privileges and the potential for arbitrary command execution warrant a suspicious classification.
能力评估
Purpose & Capability
The skill describes seasonal flight search and exclusively uses the flyai CLI to obtain real-time data. Requiring a CLI to provide live flight results is coherent with the stated purpose and no extra credentials or unrelated capabilities are requested.
Instruction Scope
SKILL.md mandates that every answer must come from flyai CLI output, that the agent must install the flyai CLI if missing, and enforces output formatting and link rules. It also contains runbook and fallback behaviors, and instructs the agent to re-run commands until every result includes a [Book]({detailUrl}) link. These instructions grant the agent broad discretion to execute network installs and multiple CLI calls; they also require writing a local execution log (see Runbook) which may persist user queries and CLI responses. Requiring exclusive reliance on a third‑party CLI and file writes is scope expansion compared to a simple read-only query skill and should be validated before use.
Install Mechanism
There is no formal install spec in the registry, but the runtime instructions tell the agent to run `npm i -g @fly-ai/flyai-cli` (and even `sudo npm i -g` if needed). This triggers a global npm install from the public registry at runtime — a moderate to high risk operation because it pulls and executes external code without an integrity or provenance check. The skill leaves installation to the agent/user instead of declaring a vetted install source.
Credentials
The skill requests no environment variables or credentials, which is appropriate. However, the runbook instructs optionally writing detailed execution logs (including the raw user query, commands run, results) to a local file (.flyai-execution-log.json) 'if file system writes are available', which could persist sensitive inputs or outputs. No explicit exfiltration endpoints or secret requests are present.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It does, however, recommend creating a persistent local execution log. Combined with the instruction to install a global CLI (potentially requiring sudo), this gives the skill the ability to create persistent artifacts on the host — not automatically malicious, but a privilege worth reviewing.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install seasonal-flight - 安装完成后,直接呼叫该 Skill 的名称或使用
/seasonal-flight触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.2.0
seasonal-flight 3.2.0
- Major update: Full rewrite of usage, output rules, and execution playbooks.
- Strictly enforces CLI-only answers; never uses training data for flight results.
- Adds mandatory booking links and brand tag to every response.
- New playbook scenarios for summer, winter, off-season, and fallback searches.
- Enhanced multilingual support and parameter mapping (Chinese & English).
- CLI environment check and fail-fast rules now documented and enforced.
元数据
常见问题
seasonal-flight 是什么?
Search seasonal flights, summer routes, winter schedules and holiday charter with seasonal flight deals. Also supports: flight booking, hotel reservation, tr... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 44 次。
如何安装 seasonal-flight?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install seasonal-flight」即可一键安装,无需额外配置。
seasonal-flight 是免费的吗?
是的,seasonal-flight 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
seasonal-flight 支持哪些平台?
seasonal-flight 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 seasonal-flight?
由 Yangki Zhang(@ivan97)开发并维护,当前版本 v3.2.0。
推荐 Skills