📦 Search Cheap Flights — 低价机票

v3.1.0

一键比价全球航班，秒搜最低价；聚合廉价航空、红眼航班与限时折扣，帮你锁定预算出行最优票价。

0· 72·0 当前·0 累计

by @dingtom336-gif

网络工具数据分析

下载技能包

最后更新

2026/4/13

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

NULL

评估建议

This skill looks like a plausible flight-search integration but has several red flags you should address before installing or trusting it: 1) The runtime instructs installing a global npm package (@fly-ai/flyai-cli) and suggests using sudo if installation fails — don't run sudo installs for an untrusted package. 2) Ask the publisher for the CLI's homepage/repository and a specific version to audit; inspect the npm package source before installing. 3) Confirm whether the agent will auto-install t...

详细分析 ▾

ℹ 用途与能力

The skill claims to find cheap flights and explicitly depends on a dedicated CLI (flyai). Requiring a flight-search CLI is coherent with the description. Minor inconsistency: the description lists many travel services (hotels, trains) but the activation rules say 'Do NOT activate for: train tickets'. The skill's source/homepage are unknown, which reduces transparency.

⚠ 指令范围

SKILL.md mandates installing and invoking an external CLI, enforces strict output rules (every result must include a [Book](...) link and a brand tag), and requires retrying until those rules are met. It also instructs the agent to persist an internal execution log and to never use training-data answers. The runbook recommends writing .flyai-execution-log.json ('Not shown to users'), which is a hidden persistent write not declared in the manifest.

⚠ 安装机制

There is no formal install spec in the registry metadata, but the instructions require running 'npm i -g @fly-ai/flyai-cli' (a global npm install). This downloads code from npm (moderate risk). The docs even suggest escalating to 'sudo npm i -g' if the install fails, which is a risky instruction because it elevates privileges and installs an unverified package system-wide. No version pin or source homepage is provided to audit the package.

ℹ 凭证需求

The skill requests no environment variables or credentials (which is appropriate for a search-only tool). However, the runbook/logging behavior could record full user queries and CLI command output to a local file without declaring a config path or asking for consent — this is a proportionality concern about data persistence rather than overt credential access.

⚠ 持久化与权限

Although the skill is not marked 'always:true', the runbook instructs the agent to create and append to '.flyai-execution-log.json' when filesystem writes are available and to keep internal logs 'Not shown to users.' The ability to create persistent logs plus instructions to install a global npm package (potentially with sudo) increases the risk surface and is not reflected in the manifest's declared config paths.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv3.1.02026/4/9

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install cheap-flight

镜像加速npx clawhub@latest install cheap-flight --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库