← 返回 Skills 市场
分贝通旅行
作者
fenbeitong-trip
· GitHub ↗
· v2.4.1
· MIT-0
110
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install travels
功能描述
一站式企业差旅服务,提供酒店搜索预订、机票查询预订、改期退票等全流程服务。智能需求确认、后台静默认证、表格对比展示。基于分贝通官方数据,实时准确可靠。
安全使用建议
This skill appears to implement the travel functionality it advertises, but review these points before installing or using it with real accounts:
- PII persistence and logging: The code writes auth tokens (~/.fbt-auth.json / ~/.fbt_auth.json) and price caches (~/.fbt_price_cache.json) to your home directory and prints passenger name/phone/ID to stdout in some scripts. This contradicts the SKILL.md statement that passenger info is not logged. If you care about privacy, inspect file locations and file permissions and consider running in an isolated environment.
- Hard-coded token: hotel_api.py contains a DEFAULT_ACCESS_TOKEN constant. Treat hard-coded secrets as risky — confirm whether it's a harmless test token and rotate or remove it if you plan to use a real account.
- Shell execution risk: travel_api.py uses os.system with joined arguments. If untrusted input can reach those commands, shell injection is possible. Prefer subprocess with argument lists or sanitize inputs.
- Network endpoints: the code talks to app-gate.fenbeitong.com (matches the vendor name). If you do not trust the source, do not allow the skill network access or run it behind network monitoring.
- Mitigations: run the skill in a sandboxed environment or container, inspect and remove hard-coded secrets, set strict file permissions on created files, and review/modify code to avoid os.system and to avoid printing PII. If you cannot audit the code, treat it as untrusted and avoid supplying real passenger credentials or corporate accounts.
功能分析
Type: OpenClaw Skill
Name: travels
Version: 2.4.1
The skill bundle contains several significant security vulnerabilities, although no clear evidence of intentional malice was found. Key issues include the explicit disabling of SSL certificate verification in `scripts/common.py` (using `ssl._create_unverified_context`), which exposes the agent to Man-in-the-Middle (MITM) attacks, and a potential shell injection vulnerability in `scripts/travel_api.py` where `os.system` is used with unsanitized command-line arguments. Additionally, `scripts/hotel_api.py` contains a hardcoded `DEFAULT_ACCESS_TOKEN`. While these are critical flaws, they appear to be poor security practices rather than intentional malware designed for exfiltration or persistence.
能力标签
能力评估
Purpose & Capability
Name/description, declared binary requirement (python3), and network endpoints (app-gate.fenbeitong.com) align with a Fenbeitong enterprise travel integration. Declared auth files (~/.fbt_auth.json, ~/.fbt-auth.json) are consistent with the described per-system authentication.
Instruction Scope
SKILL.md instructs the agent to perform silent background auth checks and strict output formatting; that is consistent. However the documentation states '乘客信息仅在预订时发送,不记录在日志', while code prints passenger name/phone/ID to stdout (e.g., flight_order.py) and persists auth tokens and price cache to files in the user's home (~/.fbt-auth.json, ~/.fbt_price_cache.json). This contradicts the 'no logging' claim and means PII/credentials may be stored on disk and appear in logs. The SKILL.md also directs running scripts with user-derived arguments; the runtime code uses os.system to invoke scripts with joined args (travel_api.py), which can be vulnerable to shell injection if inputs are not sanitized.
Install Mechanism
Instruction-only skill with a requirements.txt (requests). No external downloads or install scripts. The code bundle is provided; nothing is fetched from unknown URLs during install.
Credentials
No environment variables or unrelated credentials are requested. The skill stores auth tokens and caches under the user's home directory (expected for this purpose), but a hard-coded DEFAULT_ACCESS_TOKEN value exists in hotel_api.py (fbsk-2db251f6c8d74ce69ae3dcb82ed1055b). Hard-coded tokens in code can be a security concern (may grant access without user authentication). The code persists mobile numbers in auth files, which is PII — acceptable for a booking tool but should be clearly documented and protected.
Persistence & Privilege
The skill is not always-enabled and uses local persistent files (auth token, price cache, temp seat files) under the user home. That behavior is expected, but combined with printed PII and a default token it increases persistence of sensitive data. Autonomous invocation is allowed by default (not flagged by itself), which increases blast radius if the skill is later abused.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install travels - 安装完成后,直接呼叫该 Skill 的名称或使用
/travels触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.4.1
##v2.4.1 Changelog
- 增加用户酒店需求智能化理解以及酒店的智能化推荐与对比
v1.0.0
分贝通旅行助手 1.0.0
- 首次发布,集成酒店预订与机票预订为一站式企业差旅服务
- 实现统一鉴权流程,一次登录即可访问所有功能
- 支持酒店搜索、房型查询、预订、订单查询与取消
- 支持航班搜索、舱位及政策查询、机票预订、退改签、订单查询与取消
- 提供详细命令行调用示例和规范化展示要求
元数据
常见问题
分贝通旅行 是什么?
一站式企业差旅服务,提供酒店搜索预订、机票查询预订、改期退票等全流程服务。智能需求确认、后台静默认证、表格对比展示。基于分贝通官方数据,实时准确可靠。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 110 次。
如何安装 分贝通旅行?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install travels」即可一键安装,无需额外配置。
分贝通旅行 是免费的吗?
是的,分贝通旅行 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
分贝通旅行 支持哪些平台?
分贝通旅行 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 分贝通旅行?
由 fenbeitong-trip(@gaogao605)开发并维护,当前版本 v2.4.1。
推荐 Skills