← 返回 Skills 市场
Skill
作者
fistfulayen
· GitHub ↗
· v2.3.0
691
总下载
0
收藏
0
当前安装
7
版本数
在 OpenClaw 中安装
/install ubtrippin
功能描述
Manages travel for your user via UBTRIPPIN — trips, items, loyalty programs, family, city guides, events, concerts, notifications, and more. Use when the use...
安全使用建议
Before installing, verify the ubtrippin service and publisher (check ubtrippin.xyz and the referenced GitHub repo). Be aware the skill requires you to provide a UBTRIPPIN API key (ubt_k1_...) and a registered sender email — these are not declared in the registry metadata, so treat that as a transparency gap. Consider these safety steps: (1) only supply an API key created specifically for this integration and keep it scoped/rotatable if the service supports it; (2) avoid storing the key in plaintext in long-lived agent configs; use ephemeral tokens or a secrets manager if possible; (3) understand that forwarding booking emails (with attachments) to [email protected] will transmit sensitive travel and identity data — confirm you trust the destination and its privacy policy; (4) ask the publisher to correct the registry metadata to declare required env vars and primary credential; (5) test with non-sensitive/demo data first, and be ready to revoke the API key if you see unexpected behavior.
功能分析
Type: OpenClaw Skill
Name: ubtrippin
Version: 2.3.0
The skill bundle is classified as suspicious due to the presence of high-risk capabilities that could be exploited via prompt injection against the AI agent. Specifically, the `SKILL.md` file documents a `webhooks` API (`POST /api/v1/webhooks`) which allows the agent to configure an arbitrary URL to receive real-time event data (e.g., `trip.created`, `item.added`). This presents a significant data exfiltration risk, as a compromised agent could be instructed to send sensitive user travel data to an attacker-controlled server. Additionally, the `GET /api/v1/me/loyalty/export` endpoint allows for bulk export of sensitive loyalty program data, which could also be exfiltrated if the agent is maliciously prompted. These are legitimate API features, but their exposure to an AI agent creates a critical vulnerability.
能力评估
Purpose & Capability
The skill's declared registry metadata lists no required environment variables or primary credential, but SKILL.md and example scripts clearly require a UBTRIPPIN API key (ubt_k1_...) and the user's registered sender email for forwarding bookings. Functionally the requests (trips, items, loyalty, email parsing) align with a travel manager, but the metadata omission is an incoherence that hides the need for a sensitive API key and a verified sender email.
Instruction Scope
Runtime instructions include forwarding booking confirmation emails (including PDF attachments) from the user's registered email address to [email protected] and calling the service with a Bearer token. Forwarding/processing emails and attachments may expose sensitive personal data (tickets, PII). The SKILL.md also tells the agent to store the API key (agent config or TOOLS.md). The instructions do not describe how the agent obtains permission or access to send emails from the user's address, which is a scope creep/risk if the agent attempts mailbox access or automated forwarding.
Install Mechanism
No install spec; this is an instruction-only skill with example scripts. No downloads, extracts, or third-party packages are installed by the skill bundle itself.
Credentials
The skill requires a UBTRIPPIN API key and the user's registered sender email to operate, yet the registry metadata declares no required env vars or primary credential. That mismatch is concerning because it hides that a secret (API key) must be supplied and may be stored persistently. The number and sensitivity of the secrets requested is proportionate to the service if declared explicitly, but the metadata omission reduces transparency.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. However SKILL.md explicitly recommends storing the UBTRIPPIN API key in agent config or TOOLS.md, which would persist the secret in the agent environment — a normal installation behavior but a persistent sensitive artifact the user should manage (rotate/revoke when needed).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ubtrippin - 安装完成后,直接呼叫该 Skill 的名称或使用
/ubtrippin触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.3.0
PRD-026 complete: full API coverage
v2.2.0
Add ticket/event kind
v2.1.1
Lite version for context-constrained agents, profile setup step, ?status=upcoming example
v2.1.0
Comprehensive item creation docs — full field schema, examples for every booking type, batch operations, agent tips
v2.0.1
Updated README with install troubleshooting, _meta.json with correct version, homepage link to www
v2.0.0
Full API coverage
v1.0.0
UBTRIPPIN skill initial release.
- Lets you view and manage upcoming trips, bookings, and travel details by connecting with the UBTRIPPIN API.
- Supports reading all user trips, viewing trip itineraries (flights, hotels, trains, etc.), and detailed item info.
- New bookings are added by forwarding confirmation emails from the user’s registered sender address.
- Includes setup, API authentication, error handling, and usage instructions for typical travel management tasks.
- Requires a UBTRIPPIN API key and the user's registered sender email.
元数据
常见问题
Skill 是什么?
Manages travel for your user via UBTRIPPIN — trips, items, loyalty programs, family, city guides, events, concerts, notifications, and more. Use when the use... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 691 次。
如何安装 Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ubtrippin」即可一键安装,无需额外配置。
Skill 是免费的吗?
是的,Skill 完全免费(开源免费),可自由下载、安装和使用。
Skill 支持哪些平台?
Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill?
由 fistfulayen(@fistfulayen)开发并维护,当前版本 v2.3.0。
推荐 Skills