Tour Compare

专业旅游线路对比分析，支持多平台商品链接和截图，提供价格、行程、评分等多维度智能对比与个性化推荐。

What to consider before installing or running this skill: - The code and docs match the described purpose (URL scraping, OCR, analysis), but the package will try to install node dependencies at runtime (compare.sh auto-runs npm install). Puppeteer (optional) will download Chromium; canvas/tesseract.js have native or large-assets requirements. If you run this on your machine, expect big downloads and possible native build steps. - SKILL.md contains unicode control characters (a prompt-injection signal). Treat this as suspicious: view the raw SKILL.md (hex/visible control-char safe viewer) and confirm there are no hidden instructions or data before running automated processes. - package-lock entries reference a non-standard registry mirror (registry.anpm.alibaba-inc.com). Prefer installing only from official registries or inspect package-lock and network traffic. Consider running npm install with a lockfile you trust or in a sandbox. - Do not run the demo script or compare.sh in an environment with sensitive data or unattended automation. demo.sh uses read -p and /dev/tty (interactive) which can hang or behave unexpectedly in non-interactive agents. compare.sh will install deps automatically — to avoid unexpected installs, run npm install manually after reviewing package.json and package-lock. - Run in an isolated sandbox (VM/container) or code-audit first: search for network endpoints, hard-coded URLs, exfiltration logic, or unexpected child_process.exec usage. Pay attention to any code that posts data to remote endpoints or runs arbitrary shell commands. - If you only need the comparison logic without crawling, use JSON-mode inputs (no network fetch) and avoid enabling puppeteer/optional deps. Consider disabling autonomous execution of the skill in your agent unless you reviewed/approved its behavior. - If you want to proceed, recommended steps: inspect SKILL.md raw, review src/crawler/ota-crawler.js and src/crawler/image-recognizer.js for any outbound endpoints, run npm install with a trusted registry and verify packages, and execute in a sandboxed environment.

Type: OpenClaw Skill Name: tour-compare Version: 1.0.0 The skill bundle contains several high-risk patterns, most notably hardcoded absolute file paths referencing a specific local user directory (`/Users/zihui/`) in both `SKILL.md` and `src/ui/summary-template.js`. This presents a significant risk for path traversal or local information disclosure if the agent attempts to write reports to these locations. Additionally, the use of `puppeteer` in `src/crawler/ota-crawler.js` for web scraping without robust URL sanitization introduces potential SSRF (Server-Side Request Forgery) vulnerabilities. While these issues appear to be unintentional 'lazy' coding or leftover development configurations rather than intentional data exfiltration, the combination of arbitrary file writing and network crawling capabilities makes the bundle high-risk.