📦 Travel Blind Box — 旅行盲盒
v1.0.1输入预算上限、最远飞行时间、出行时段与排除城市,AI立即在符合条件的全球目的地中随机抽选一个,把“去哪儿”变成惊喜盲盒,专治选择困难。
0· 81·0 当前·0 累计
by 下载技能包
最后更新
2026/4/3
安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill appears to do what it says (pick random destinations, search flights/hotels, and remember preferences), but there are two red flags to consider before installing or executing it: (1) the SKILL.md advises disabling TLS certificate checking (NODE_TLS_REJECT_UNAUTHORIZED=0) — this defeats HTTPS security and can expose you to man-in-the-middle attacks; (2) it recommends installing an external npm package globally (@fly-ai/flyai-cli), which will run third-party code on your machine. If you...详细分析 ▾
ℹ 用途与能力
The skill's declared purpose (randomized destination selection, search flights/hotels/POI, and remember user prefs) matches the instructions: it calls search-flight/search-hotel/search-poi, reads/writes a user-profile, and implements candidate selection. Asking to install a flyai CLI (via npm) is coherent with using 'flyai' commands, though that adds an external dependency.
⚠ 指令范围
Instructions explicitly read and update user profile data via either platform memory (search_memory/update_memory) or a local file at ~/.flyai/user-profile.md — this is expected. However, instructions repeatedly recommend running commands prefixed with NODE_TLS_REJECT_UNAUTHORIZED=0 (disabling TLS certificate checks) and recommend global npm installation and sudo usage. Disabling TLS verification and advising elevated install commands broaden the scope beyond normal assistant behavior and are unsafe.
⚠ 安装机制
There is no formal install spec, but the workflow instructs users/agents to run 'npm install -g @fly-ai/flyai-cli@latest' (and suggests npx usage). Installing an un-vetted global npm package from the public registry is a moderate risk — it downloads and installs third‑party code into the system. The lack of an included install manifest or verified upstream homepage increases uncertainty about the package origin and contents.
⚠ 凭证需求
The skill requests no explicit environment variables or external credentials, which is appropriate. However, it instructs setting NODE_TLS_REJECT_UNAUTHORIZED=0 to bypass TLS verification for network calls — this is an environment modification unrelated to user preferences and is disproportionate and unsafe. The skill writes/reads files under ~/.flyai which is reasonable for storing user profile, but persisting data to the user's home directory is a persistent capability the user should consent to.
ℹ 持久化与权限
always:false (normal). The skill uses and suggests maintaining a local user-profile (~/.flyai/user-profile.md) or platform memory, which is expected for remembering preferences. It does not request system-wide privileges or modify other skills/configs. Still, writing to the user's home directory and doing global npm installs are privileged actions the user should be aware of.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/2
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install flyai-travel-blindbox
镜像加速npx clawhub@latest install flyai-travel-blindbox --registry https://cn.longxiaskill.com