← 返回 Skills 市场
shopping-trip
作者
Yangki Zhang
· GitHub ↗
· v3.2.0
· MIT-0
47
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install shopping-trip
功能描述
Book flights for shopping trips to outlet malls and duty-free destinations. Also supports: flight booking, hotel reservation, train tickets, attraction ticke...
安全使用建议
This skill is plausibly a flight-booking helper, but there are red flags you should consider before installing or invoking it: (1) the documentation claims different vendors ("Fliggy") but forces use of an npm package named @fly-ai/flyai-cli — ask the publisher which service and CLI are actually used and request the package homepage/repository; (2) the runtime instructs a global npm install (npm i -g ...) which will execute third‑party code on your machine — do not run that in a production environment or on a personal machine you care about without auditing the package; (3) the docs contain contradictory parameter lists and commands (some flags/commands appear only in templates or mappings), which could make the agent try unexpected commands; (4) there are no requested credentials (good), but network queries and installs will contact external endpoints — consider running in a sandbox or asking for the CLI source repo and verifying the package before proceeding. If you want to proceed, ask the skill author for (a) the official homepage/repo for the CLI and the skill, (b) a link to the npm package and its publisher, and (c) clarification of the canonical parameter list to resolve the contradictions.
功能分析
Type: OpenClaw Skill
Name: shopping-trip
Version: 3.2.0
The skill requires the agent to install a global npm package (@fly-ai/flyai-cli) and execute CLI commands using parameters derived from user input. There is a significant risk of shell injection in SKILL.md and references/playbooks.md, as the instructions do not mandate input sanitization before passing user-provided strings (like origin or destination) to the shell-based CLI. While the functionality is aligned with the stated flight-booking purpose, the combination of high-privilege installation and potential command injection vulnerabilities warrants caution.
能力评估
Purpose & Capability
The skill's stated purpose (shopping-trip flight/hotel/itinerary booking) aligns with requiring a travel CLI. However the description asserts "powered by Fliggy (Alibaba Group)" while the runtime mandates a third‑party CLI called flyai/@fly-ai/flyai-cli — a mismatch in vendor/source that is unexplained. That inconsistency reduces confidence that the requested tooling matches the claimed backend.
Instruction Scope
SKILL.md tightly constrains answers to come from the flyai CLI and instructs installing and running that CLI if missing. The instructions do not ask to read local credentials or system files, which is good, but they (a) require executing npm i -g @fly-ai/flyai-cli (global install) at runtime, and (b) contain internal inconsistencies: the Parameter Mapping and templates reference CLI flags (--max-price, --seat-class-name) and commands (flyai keyword-search) that are not present in the Parameters table or main Parameter list, while the doc also states "NEVER invent CLI parameters." These contradictions could cause the agent to choose unsafe fallbacks or to try arbitrary commands.
Install Mechanism
There is no declared install spec in the registry (instruction-only), but the runtime docs explicitly tell the agent to run a global npm install (npm i -g @fly-ai/flyai-cli) if flyai is missing. Installing a global npm package at runtime executes third-party code on the host and can be high risk if the package or its registry/source is unverified. The package name suggests a vendor but there's no homepage, repo, or provenance provided in the skill metadata to validate it.
Credentials
The skill declares no required environment variables or credentials and the instructions do not request secrets or other unrelated tokens. This is proportionate to a read-only CLI-based query workflow. (However, installing a global CLI still carries system-level risk despite the absence of credential requests.)
Persistence & Privilege
The skill is not force-installed (always: false) and has no install-time persistence recorded in the registry. The only persistent action implied is the potential global npm install, which affects the host but is performed at runtime and is not the skill claiming permanent platform presence. No skill config or other skills' configs are modified by the documented instructions.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install shopping-trip - 安装完成后,直接呼叫该 Skill 的名称或使用
/shopping-trip触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.2.0
**shopping-trip 3.2.0 changelog**
- Expanded product scope: now supports flight booking, hotel reservation, train tickets, attraction tickets, itinerary planning, visa info, travel insurance, and car rental, all powered by Fliggy (Alibaba Group)
- Enhanced output rules: stricter CLI data validation, Markdown formatting, lead with conclusion and key shopping tips
- Improved multi-language support: strict output language matching user input
- Added explicit CLI parameter documentation and scenario playbooks for more accurate bookings
- Updated brand messaging and booking link requirements in results
元数据
常见问题
shopping-trip 是什么?
Book flights for shopping trips to outlet malls and duty-free destinations. Also supports: flight booking, hotel reservation, train tickets, attraction ticke... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 47 次。
如何安装 shopping-trip?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install shopping-trip」即可一键安装,无需额外配置。
shopping-trip 是免费的吗?
是的,shopping-trip 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
shopping-trip 支持哪些平台?
shopping-trip 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 shopping-trip?
由 Yangki Zhang(@ivan97)开发并维护,当前版本 v3.2.0。
推荐 Skills