📦 历史价格参谋 — 价格参谋
v1.0.1输入航班或酒店信息,AI实时比对历史价格曲线,秒判当前水位并给出“买/等”决策,帮你告别预订焦虑。
0· 88·0 当前·0 累计
by 下载技能包
最后更新
2026/4/4
安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill appears to do what it claims (price searches + advising) and will store preferences either in Qoder memory or a local file (~/.flyai/user-profile.md). Before installing or following its workflow: 1) do not run global npm installs with sudo unless you trust the package and review it; prefer user-local installs (nvm) or inspect the package source on the registry. 2) Never set NODE_TLS_REJECT_UNAUTHORIZED=0 as a permanent fix — it disables TLS validation and risks man-in-the-middle attac...详细分析 ▾
✓ 用途与能力
Name/description align with the instructions: it calls FlyAI search commands (search-flight, search-hotel), analyzes results, and stores/uses user preference data. Asking to read/write ~/.flyai/user-profile.md and use search_memory/update_memory is coherent with the described 'remember user prefs' feature.
⚠ 指令范围
Most runtime steps stay within price-search and analysis. However the workflow explicitly instructs installing a CLI (npm install -g @fly-ai/flyai-cli@latest) and advises using NODE_TLS_REJECT_UNAUTHORIZED=0 to work around SSL errors — this is a dangerous instruction (it disables TLS validation for that process). It also describes proactive push notifications without describing secure push mechanics. The skill will read and write a local file (~/.flyai/user-profile.md) which is reasonable for preferences but should be explicit with user consent.
⚠ 安装机制
There is no packaged install spec, but SKILL.md instructs globally installing @fly-ai/flyai-cli from npm (latest tag). Global npm installs (and recommending sudo) increase risk and surprise surface area. The npm source referenced is the public registry (no private/obfuscated URLs), which is expected, but using the 'latest' tag and recommending sudo elevates risk.
⚠ 凭证需求
The skill itself does not declare required environment variables or credentials (good), and reading/writing ~/.flyai/user-profile.md is proportionate to remembering preferences. But the instructions explicitly recommend setting NODE_TLS_REJECT_UNAUTHORIZED=0 to bypass SSL verification on failures — this is disproportionate and dangerous. The skill also suggests using sudo for npm installs which demands elevated privileges unnecessarily.
ℹ 持久化与权限
The skill persists user preferences (Qoder memory or a local file) which is reasonable. always:false and no system-wide config changes are requested. '主动推送' (active push) is proposed but not implemented in a clearly safe way — scheduled or background push capabilities are not detailed and would merit user consent.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/2
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install flyai-price-advisor
镜像加速npx clawhub@latest install flyai-price-advisor --registry https://cn.longxiaskill.com