📦 Convince Them — 旅行说服助手
v1.0.1一键生成带真实机票、酒店、景点价格的旅行方案,用数据击破伴侣/老板/爸妈的顾虑,微信直发秒说服。
0· 83·0 当前·0 累计
by 下载技能包
最后更新
2026/4/4
安全扫描
OpenClaw
可疑
high confidenceThe skill largely matches its stated purpose (building persuasive travel proposals using a FlyAI CLI) but includes several surprising and risky instructions — notably disabling TLS certificate checks and reading/writing a local profile file without declaring that access — which deserve caution before installing.
评估建议
What to consider before installing:
- TLS bypass: The skill recommends running FlyAI CLI commands with NODE_TLS_REJECT_UNAUTHORIZED=0 to ignore SSL certificate errors. This is unsafe — it disables TLS verification and makes network traffic susceptible to man-in-the-middle attacks. Ask the author why this is necessary; do not run in production or on machines with sensitive data while TLS is disabled.
- Global npm install: The SKILL.md asks you to run npm install -g @fly-ai/flyai-cli@latest. Ins...详细分析 ▾
ℹ 用途与能力
Name/description claim to fetch real prices from FlyAI and produce shareable proposals; the SKILL.md indeed uses flyai search-flight/search-hotel/search-poi and templates. Requiring a FlyAI CLI is coherent. However the skill reads/writes a local user profile file (~/.flyai/user-profile.md) and instructs global npm installation; those are reasonable for a CLI-backed assistant but the manifest declared no required config paths or credentials — mismatch between declared metadata and actual instructions.
⚠ 指令范围
Instructions tell the agent to (a) install a global npm package, (b) run flyai CLI commands prefixed with NODE_TLS_REJECT_UNAUTHORIZED=0 (disables TLS verification), (c) read/write a local file at ~/.flyai/user-profile.md or call search_memory/update_memory. The local file IO (create/read/update) is outside the manifest’s declared config paths and expands scope. The repeated recommendation to bypass SSL verification is a significant red flag (increases MITM/exfiltration risk). There are also minor inconsistencies in package references (e.g., @fly-ai/flyai-cli vs @anthropic-ai/flyai-cli in docs).
ℹ 安装机制
No formal install spec in registry metadata, but SKILL.md instructs running npm install -g @fly-ai/flyai-cli@latest. Installing from the public npm registry is plausible for CLI usage (moderate risk). The instruction to install globally and to suggest sudo for permission issues raises operational caution (avoid running as root). Overall install approach is expected for acquiring a CLI but should be treated as code execution from the network.
⚠ 凭证需求
Manifest declares no environment or credential requirements, and none are required to be provided — which aligns with no API keys. However SKILL.md repeatedly uses NODE_TLS_REJECT_UNAUTHORIZED=0 to bypass TLS; that is an environment-setting that weakens security and is not justified by the described purpose. The skill also will read/write ~/.flyai/user-profile.md (persistent user data) without declaring required config paths — this access should have been declared and justified.
ℹ 持久化与权限
always:false (good). The skill documents persistent local storage (~/.flyai/user-profile.md) and uses platform memory APIs when available; storing user preferences is coherent. However the skill instructs creating and updating files in the user's home directory and updating 'memory' — those are persistent behaviors the user should consent to. The skill does not request elevated platform privileges, but its persistence combined with network install and TLS bypass increases blast radius.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/2
- 增加了 reference 目录,补充了详细工具、场景、学习机制和模板说明,便于后续拓展与维护。 - 用户画像与偏好支持“双模式”(search_memory/API或本地文件),提升了启动效率和兼容性。 - FlyAI CLI 安装/升级流程简化为一键命令,确保始终获取最新版并自动处理首次安装与升级,无需手动判断。 - 核心文档结构更加精炼,详细说明均迁移到 reference 子目录,实现主流程与细节解耦。 - 输出和工作流模板支持多场景适配,按类型动态引用 reference 实现灵活说服提案生成。 - 异常处理和自主学习与优化流程更加系统化,相关细节见 reference 下专区文档。
● 可疑
安装命令
点击复制官方npx clawhub@latest install flyai-persuade-ta
镜像加速npx clawhub@latest install flyai-persuade-ta --registry https://cn.longxiaskill.com