← 返回 Skills 市场
rudy2steiner

Travelmapify

作者 rudy2steiner · GitHub ↗ · v2.2.2 · MIT-0
cross-platform ⚠ suspicious
141
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install travelmapify
功能描述
Create interactive travel route maps from location names with real FlyAI hotel search. Supports AI Vision analysis of travel planning images.
安全使用建议
What to consider before installing: 1) Command injection risk: scripts/amap-proxy.js builds shell commands that interpolate user-provided query/city values into a child_process exec string. If you will expose this proxy to any untrusted input or use untrusted images/text, this is a real risk. Ask the author to sanitize/escape inputs or switch to child_process.spawn with argument arrays. 2) Embedded API key & undeclared env use: the package and docs ship a default Amap API key and the code will use AMAP_KEY if present. The skill claims no required credentials but relies on AMAP_KEY, OPENCLAW_WORKSPACE and the FlyAI CLI. Prefer to supply your own Amap key via environment variable and confirm the included key is legitimate and allowed for reuse. 3) Dependency on sibling skill and local servers: the proxy calls into a relative ../amap-maps script. Installing this skill without a trusted amap-maps implementation could execute arbitrary code. Only install if you have the expected amap-maps skill from a trusted source. 4) Run in a sandbox first: test in an isolated environment (VM/container) and review the omitted scripts (hotel-search-server.py, ensure_servers_running.py, etc.) before enabling on your main system. 5) If you need this functionality but want lower risk: request the author to (a) remove embedded API keys, (b) declare required env vars and permissions, (c) avoid shell interpolation of user inputs, and (d) document exact runtime network endpoints. If the author provides that follow-up and fixes the command-exec patterns, this assessment could change to benign.
功能分析
Type: OpenClaw Skill Name: travelmapify Version: 2.2.2 The skill bundle contains a critical shell injection vulnerability in 'scripts/amap-proxy.js', where user-controlled query and city parameters are passed unsanitized to 'child_process.exec'. Additionally, 'scripts/ensure_servers_running.py' implements aggressive server management by force-killing any existing processes on ports 8769 and 8780 using 'lsof' and 'os.kill'. While these behaviors are documented as part of the skill's automatic server management and geocoding functionality, the lack of input validation and the invasive process handling pose significant security risks.
能力评估
Purpose & Capability
Name/description (map generation + FlyAI hotel search + AI Vision) generally align with the included code (geocoding, template generation, hotel-search server). However the registry metadata claims no required env vars/credentials while the code expects AMAP_KEY, OPENCLAW_WORKSPACE, and a FlyAI executable; it also requires an external sibling skill (amap-maps). Asking for no credentials but embedding/using an API key and depending on another skill is inconsistent and unexplained.
Instruction Scope
SKILL.md instructs the agent to auto-start HTTP/hotel servers, use the agent's AI Vision, and call Amap/FlyAI. The shipped runtime files actually start local servers, spawn subprocesses, and call into a relative 'amap-maps' skill. The amap proxy composes shell commands with user query/city values inserted directly (see scripts/amap-proxy.js), creating a command-injection risk. The skill also modifies/reads workspace paths and hunts for FlyAI binaries—behavior beyond simple map rendering.
Install Mechanism
No external install spec (instruction-only) reduces supply-chain risk, but the bundle includes multiple executable scripts (Python and Node) that will be run locally. Nothing is downloaded from arbitrary URLs, but the code will call other local tools (node, npm, flyai) and a sibling skill; that means installing/running the package still executes non-trivial code on the host.
Credentials
Registry lists no required env vars, yet code uses/reads AMAP_KEY (with a hardcoded default key in docs and Node proxy), OPENCLAW_WORKSPACE, and expects a FlyAI binary. Embedding an Amap API key in the package and using it without explicit user acknowledgement is questionable. The skill also probes PATH/npm locations to find FlyAI—unrequested environment access that should have been declared.
Persistence & Privilege
always:false (good), but the skill auto-starts local HTTP servers (default ports 9000, 8770, and requires an Amap proxy on 8769) and will keep processes running while used. This grants persistent local network presence during operation; combined with the unsafe exec behavior it increases the attack surface but is not itself a platform privilege escalation.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install travelmapify
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /travelmapify 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.2.2
Clean text-only input with external AI Vision workflow. Removed internal image processing, simplified to pure text input. Added proper documentation for AI Vision image analysis workflow. Fixed cross-city geocoding issues with explicit city context. Configured FlyAI API key support.
v2.2.1
Enhanced server management: servers start before POI search. Proper Amap POI integration with two-step geocoding. Removed Express.js dependency, now uses built-in Node.js HTTP server. Full portability with no absolute paths.
v2.2.0
Added automatic city detection, portable entry point, dynamic configuration, and enhanced server management
v2.1.5
Enhanced travelmapify with Xiaohongshu optimization, AI vision recognition, real FlyAI hotel search, and automatic server management. Matches flyai-travelmapify functionality.
元数据
Slug travelmapify
版本 2.2.2
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 4
常见问题

Travelmapify 是什么?

Create interactive travel route maps from location names with real FlyAI hotel search. Supports AI Vision analysis of travel planning images. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 141 次。

如何安装 Travelmapify?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install travelmapify」即可一键安装,无需额外配置。

Travelmapify 是免费的吗?

是的,Travelmapify 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Travelmapify 支持哪些平台?

Travelmapify 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Travelmapify?

由 rudy2steiner(@rudy2steiner)开发并维护,当前版本 v2.2.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论