📦 旅伴匹配度报告 — 旅行合拍速测
v1.0.1出发前3分钟测出你与旅伴的节奏、预算、景点偏好契合度,系统比对真实酒店/景点数据,自动给出兼顾双方需求的行程妥协方案,提前化解冲突。
0· 85·0 当前·0 累计
by 下载技能包
最后更新
2026/4/4
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill does what it claims (travel-style questionnaire + FlyAI searches) but includes several concerning instructions: (1) It tells the agent to disable TLS certificate verification (NODE_TLS_REJECT_UNAUTHORIZED=0) — this weakens transport security and can expose you to man-in-the-middle attacks; avoid doing this in production. (2) The workflow asks to install a global npm package (and suggests sudo) — that executes code from the network with elevated privileges; only run if you trust the pa...详细分析 ▾
ℹ 用途与能力
Name/description match the behaviour: collecting travel preferences, computing a match score, and calling FlyAI search commands to produce booking links. However, the SKILL.md reads/writes a local path (~/.flyai/user-profile.md) and relies on platform memory tools (search_memory/update_memory) even though the skill metadata declares no required config paths or dependencies — a mismatch between declared requirements and actual I/O.
⚠ 指令范围
Instructions direct the agent to read and write user profile data (Qoder memory APIs or local file ~/, creation of ~/.flyai), to run FlyAI CLI commands, and to explicitly bypass SSL verification by setting NODE_TLS_REJECT_UNAUTHORIZED=0 when certificate errors occur. The TLS bypass and use of sudo/npm in the workflow expands the agent's scope beyond pure analysis/recommendation and is a security risk.
⚠ 安装机制
There is no formal install spec, but workflow instructions tell users/agents to install/upgrade the FlyAI CLI via `npm install -g @fly-ai/flyai-cli@latest` and suggest using sudo. That means the skill implicitly expects network downloads and global installation, potentially requiring elevated privileges — this should have been declared and vetted.
⚠ 凭证需求
The skill declares no required environment variables or credentials, which fits a recommendation tool. But it prescribes setting NODE_TLS_REJECT_UNAUTHORIZED=0 to workaround TLS failures and relies on platform-specific tools (search_memory/update_memory) when present. It also reads/writes a local user-profile file (~/.flyai/user-profile.md) — access to local filesystem/memory was not declared and can persist sensitive user data.
ℹ 持久化与权限
Skill writes/updates user profile data either to Qoder Memory or to a local file (~/.flyai/user-profile.md). It does not set always:true and does not modify other skills. Persisting user profile is reasonable for functionality, but users should be aware this skill will store personal preferences locally or in platform memory.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/2
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install flyai-companion-matcher
镜像加速npx clawhub@latest install flyai-companion-matcher --registry https://cn.longxiaskill.com