← 返回 Skills 市场
rudy2steiner

Travel Mapify

作者 rudy2steiner · GitHub ↗ · v2.2.2 · MIT-0
cross-platform ⚠ suspicious
151
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install travel-mapify
功能描述
Create interactive travel route maps from location names with real FlyAI hotel search. Supports AI Vision analysis of travel planning images.
安全使用建议
Do not install or run this skill on any machine you care about without code changes. Specific risks: 1) scripts/amap-proxy.js constructs a shell command that includes user-provided query/city parameters and invokes exec — this can allow arbitrary command execution if an attacker can send crafted requests to the proxy. 2) The proxy sets CORS '*' and calls server.listen(PORT) without binding to localhost, making it network-accessible by default. 3) The package embeds a default Amap API key and claims 'no user API key required', which may leak or be abused. Recommended mitigations before using: run only in an isolated VM/container; modify amap-proxy.js to bind to 127.0.0.1 and avoid using shell exec (use a direct API client or properly escape/validate inputs); remove/discard the embedded API key and require a user-provided key; verify that required external skills (amap-maps, FlyAI CLI) are legitimate and present; inspect and run the code manually rather than allowing any automated install. If you lack the ability to review or safely sandbox code, treat this skill as unsafe.
功能分析
Type: OpenClaw Skill Name: travel-mapify Version: 2.2.2 The skill contains a critical shell injection vulnerability in 'scripts/amap-proxy.js'. The 'handleSearch' function accepts user-controlled input from URL parameters ('query' and 'city') and concatenates them directly into a shell command string executed via 'child_process.exec', allowing for arbitrary command execution. Additionally, 'scripts/ensure_servers_running.py' performs aggressive system actions by identifying and forcefully killing processes on ports 8769 and 8780 using 'lsof' and 'os.kill'. While these appear to be poorly implemented utility features rather than intentional malware, the RCE risk via the proxy server is significant.
能力评估
Purpose & Capability
The name/description (interactive maps + FlyAI hotel search + AI Vision) aligns with included code: geocoding, route generation, a hotel-search backend and vision helpers are present. However the registry metadata declares no required env vars/credentials while the code and docs reference AMAP_KEY, OPENCLAW_WORKSPACE, and require a separate amap-maps skill and FlyAI CLI — an inconsistency between declared requirements and actual implementation.
Instruction Scope
SKILL.md describes auto-starting local servers and using AI Vision for POI extraction, which matches the code. But the runtime instructions and scripts cause the skill to start network services (HTTP proxy on port 8769, hotel server port 8770, map server on 9000). The proxy accepts GET parameters and passes them directly into a shell command (via exec) without escaping — the instruction surface therefore directs the agent to run processes that access local files and execute shell commands constructed from external input, which goes beyond simple geocoding.
Install Mechanism
No install spec (instruction-only) — lower risk in that nothing is auto-downloaded. But several included Node/Python scripts will try to invoke other components (flyai CLI, amap-maps scripts). The packaged scripts assume presence of external skills/tools (amap-maps, FlyAI CLI) and would run system commands; there is no packaged, vetted installer here.
Credentials
Registry lists no required env vars, but code reads/uses OPENCLAW_WORKSPACE, attempts to discover a flyai executable, and amap-proxy.js falls back to an embedded Amap API key ('88628414733cf2ccb7ce2f94cfd680ef'). Shipping a built-in API key (and advertising 'no user key required') is questionable (quota/abuse and privacy implications). The skill does not request unrelated external credentials, but the mismatch between declared and actual env/credential use is concerning.
Persistence & Privilege
Skill is not 'always: true', but it auto-starts several HTTP services when used (map HTTP server, hotel server, Amap proxy). The Amap proxy sets Access-Control-Allow-Origin: '*' and listens with server.listen(PORT) (no host restriction), which makes it reachable from other hosts on the network. Combined with the unsafe shell exec usage, this gives the skill significant network-exposed attack surface beyond what users likely expect.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install travel-mapify
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /travel-mapify 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.2.2
Clean text-only input with external AI Vision workflow. Removed internal image processing, simplified to pure text input. Added proper documentation for AI Vision image analysis workflow. Fixed cross-city geocoding issues with explicit city context. Configured FlyAI API key support.
v2.2.1
Enhanced server management: servers start before POI search. Proper Amap POI integration with two-step geocoding. Removed Express.js dependency, now uses built-in Node.js HTTP server. Full portability with no absolute paths.
v2.2.0
Added automatic city detection, portable entry point, dynamic configuration, and enhanced server management
v2.1.5
Enhanced travel-mapify with Xiaohongshu optimization, AI vision recognition, real FlyAI hotel search, and automatic server management. Based on flyai-travelmapify functionality.
v1.0.0
Initial release—transform travel planning images or location lists into interactive, professional route maps. - Supports both image (OCR) and text (comma-separated locations) inputs for POI extraction. - Uses Amap geocoding API to obtain precise coordinates and validate locations. - Generates interactive web maps with dual edit/view modes, route optimization, and POI management. - Integrates real hotel search via FlyAI for live hotel prices, availability, and booking links. - Automatically starts HTTP and hotel search servers, providing ready-to-use map outputs. - Professional UX: enhanced notifications, responsive design, drag-and-drop, and export options.
元数据
Slug travel-mapify
版本 2.2.2
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 5
常见问题

Travel Mapify 是什么?

Create interactive travel route maps from location names with real FlyAI hotel search. Supports AI Vision analysis of travel planning images. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 151 次。

如何安装 Travel Mapify?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install travel-mapify」即可一键安装,无需额外配置。

Travel Mapify 是免费的吗?

是的,Travel Mapify 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Travel Mapify 支持哪些平台?

Travel Mapify 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Travel Mapify?

由 rudy2steiner(@rudy2steiner)开发并维护,当前版本 v2.2.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论