← 返回 Skills 市场
timo2026

Travel Swarm

作者 Timo2026 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
66
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install travel-swarm
功能描述
Integrated travel planner combining FlyAI ticket prices, Gaode and Tencent map POI, Meituan food recommendations, and fallback McDonald's options.
安全使用建议
This package appears to be a real multi-MCP travel planner, but there are multiple inconsistencies and operational risks you should check before installing: - Verify which environment variables the code actually reads. SKILL.md lists GAODE_API_KEY but code uses AMAP_API_KEY; ensure you map your keys correctly and avoid pasting unrelated secrets. Search the code for os.getenv(...) to find all expected names (e.g., AMAP_API_KEY, MINIMAX_API_KEY, FLYAI keys). - Expect the skill to make outbound network calls to FlyAI, Amap/Gaode, Tencent, Meituan and to model endpoints (minimax). Only supply API keys you trust and run the skill in an isolated environment if possible. - The repo includes scripts and docs to run a web service on port 7860 and watchdog/resurrection scripts and even a hardcoded external IP in docs. Do not blindly run startup/watchdog scripts as root; review them first and consider running under a container or sandbox. - The codebase contains unrelated-looking CNC/industrial logic and many test/dev files — this suggests code reuse. Review the code paths that handle user input and external calls (flyai_client, multi_mcp_client, minimax_client) for any unexpected data exfiltration or unknown endpoints. - If you are not comfortable auditing the code, run it in an isolated VM/container with no sensitive credentials mounted. Prefer providing per-service API keys with limited privileges and rotate them after testing. If you want, I can list the exact files that read environment variables and the exact env-var names the code expects, or scan the codebase for hardcoded external hosts and URLs to help you decide.
功能分析
Type: OpenClaw Skill Name: travel-swarm Version: 1.0.0 The skill bundle contains multiple critical Remote Code Execution (RCE) vulnerabilities due to the unsafe use of `subprocess.run(shell=True)` with unsanitized user input in `backend/utils/flyai_client.py` and `shrimp_system/main_shrimp.py`. Furthermore, numerous sensitive API keys for services like Gaode Maps, Tencent Maps, and MiniMax are hardcoded throughout the codebase (e.g., in `food_nearby_api.py`, `multi_mcp_client.py`, and `real_api_client.py`). While these appear to be severe security oversights and poor coding practices rather than intentional malware, the combination of RCE vectors and leaked credentials makes the bundle highly risky for deployment.
能力标签
cryptorequires-oauth-token
能力评估
Purpose & Capability
The code files (flyai_client, amap/meituan/tencent clients, multi_mcp, report generator) align with the stated travel-planner purpose. However, there are surprising artifacts: several socratic/engine components include CNC/industrial keyword handling (unrelated to travel) and the README/SKILL.md names of map API env vars (GAODE_API_KEY) do not match code usage (AMAP_API_KEY). These suggest code reuse or sloppy packaging rather than pure intent mismatch, but they are unexplained.
Instruction Scope
SKILL.md runtime instructions are limited (install via clawhub, set API keys), but the repo/docs contain operational instructions to run a long‑running web service on port 7860, watchdog/resurrection scripts, and a hardcoded external IP (http://47.253.101.130:7860/) in deployment docs. The code invokes external MCP endpoints and model clients (minimax), and some modules will read environment variables beyond those declared in the SKILL.md. This broad operational scope (service hosting + watchdog) is not fully reflected in the top-level skill metadata.
Install Mechanism
There is no install spec that downloads arbitrary payloads (lowest-risk install type). The bundle includes many source files and helper scripts, so installation will place code on disk and likely run a web service if followed. No external archive/URL-based install was detected, which reduces immediate supply-chain risk, but the included startup/watchdog scripts increase operational persistence once installed.
Credentials
SKILL.md lists required API keys (FLYAI_API_KEY, GAODE_API_KEY, optional TENCENT_MAP_KEY and MEITUAN_API_KEY) but the registry metadata claims 'none' for required env vars — a direct mismatch. The code expects AMAP_API_KEY in places (os.getenv('AMAP_API_KEY', '')) rather than GAODE_API_KEY, and other components (minimax_client, FlyAIClient) imply additional credentials (MINIMAX_API_KEY, etc.) not declared in SKILL.md. Asking for multiple external service keys is reasonable for this feature set, but the inconsistent naming and undocumented credential needs are a red flag: misconfiguration could leak or misroute secrets.
Persistence & Privilege
The skill does not set always:true and is user-invocable only (normal). However, the repository includes watchdog/resurrection scripts and service startup guidance to run a persistent web UI on port 7860. If a user follows those docs, the skill will become a persistent networked service. This is not inherently malicious but raises the operational blast radius in combination with networked API clients and model calls.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install travel-swarm
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /travel-swarm 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
openclaw-travel-swarm-v8 initial release: - Integrates multi-platform travel planning with FlyAI, Gaode, Tencent, Meituan, and McDonald's fallback. - Supports real-time ticket price search (FlyAI/Fliggy). - POI verification with both Gaode and Tencent Maps. - Food recommendations via Meituan; fallback to McDonald's. - Generates map screenshots. - Requires API keys for main functions.
元数据
Slug travel-swarm
版本 1.0.0
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 1
常见问题

Travel Swarm 是什么?

Integrated travel planner combining FlyAI ticket prices, Gaode and Tencent map POI, Meituan food recommendations, and fallback McDonald's options. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 66 次。

如何安装 Travel Swarm?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install travel-swarm」即可一键安装,无需额外配置。

Travel Swarm 是免费的吗?

是的,Travel Swarm 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Travel Swarm 支持哪些平台?

Travel Swarm 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Travel Swarm?

由 Timo2026(@timo2026)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 留言讨论