📦 极限出发 — 说走就走
v1.0.1输入出发城市和最快出发时间,AI秒搜所有即时航班,反向列出此刻能飞抵的全部目的地,并同步推荐今晚酒店、核心景点及一键预订入口,让临时起意的旅程零门槛。
0· 93·0 当前·0 累计
by 下载技能包
最后更新
2026/4/3
安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (finding last‑minute flights + hotels + POIs) matches its instructions, but the runtime docs ask the agent to install and run an external npm CLI and to disable TLS verification—actions that are disproportionate or risky and are not declared in the manifest.
评估建议
This skill conceptually does what it says (search flights/hotels/POIs), but the runtime instructions contain two red flags you should consider before installing/using it:
1) It tells the agent to npm install -g @fly-ai/flyai-cli (downloads and runs third‑party code). Ask the publisher for the CLI's homepage/repository, verify the npm package owner, and review the source or a checksum before installing. Prefer installing such CLIs in an isolated environment (container/VM) rather than on your pri...详细分析 ▾
ℹ 用途与能力
Name/description match the documented actions: reverse-search flights/hotels/POIs and return jumpUrl booking links. The SKILL.md uses search-flight, search-hotel, search-poi which are coherent with the described functionality.
⚠ 指令范围
SKILL.md instructs the agent to read/write a local profile (~/.flyai/user-profile.md) and to use Qoder memory APIs if present—these are plausible for saving preferences, but the file access is not declared in the manifest. Critically, the workflow repeatedly advises setting NODE_TLS_REJECT_UNAUTHORIZED=0 before running flyai commands, which disables SSL/TLS verification and is a serious security risk (enables MITM). The instructions also permit using sudo and global npm installs, which expand scope to system package installation.
⚠ 安装机制
There is no formal install spec in the manifest, but the runtime docs require running: npm install -g @fly-ai/flyai-cli@latest --registry=https://registry.npmjs.org. That directs the agent to download and execute third‑party code from npm at runtime (moderate–high risk). The skill does not provide a verified source, checksum, or homepage/repo to review the CLI code before installation.
⚠ 凭证需求
The manifest declares no required env vars, but the instructions instruct setting NODE_TLS_REJECT_UNAUTHORIZED=0 (an unsafe change to TLS behavior). The skill expects read/write access to ~/.flyai/user-profile.md and to use search_memory/update_memory if available—these are reasonable for user prefs but should have been declared. No API keys are requested, which is appropriate, but the implicit need to install and run an external CLI may require network access and could exfiltrate data depending on that CLI's behavior.
✓ 持久化与权限
always is false and the skill does not request forced persistent inclusion. The only persistence described is writing its own user-profile file or using platform memory APIs, which is within expected scope for a preference-tracking travel helper.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/2
v1.0.1 adds extensive reference documentation and modularizes workflow. - Added 11 reference files covering command examples, search workflows, and API usages. - Modularized documentation: moved workflow, user profile storage, and command details into the /reference directory. - Enhanced user preference handling by describing a dual-mode profile read/save mechanism. - Documentation now references new example conversations and function manuals for easier onboarding. - Original detailed workflow and output template moved to separate reference files for clarity.
● 可疑
安装命令
点击复制官方npx clawhub@latest install flyai-instant-departure
镜像加速npx clawhub@latest install flyai-instant-departure --registry https://cn.longxiaskill.com