by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This skill appears to be what it claims: an aggregator that calls multiple travel-provider APIs. Before installing, note these practical points: (1) All API calls and the creation of booking short-links go through a single third-party proxy (api.botclaw.ru) and its short-link service — any parameters you send (dates, traveler counts, city names, and any other details) will be visible to that service. If you care about privacy or have sensitive itinerary data, avoid sending it or verify the proxy...详细分析 ▾
✓ 用途与能力
Name/description (search flights, tours, excursions) matches what the skill asks the agent to do: call provider APIs (Aviasales, Travelata, Level.Travel, Sputnik8) via a single proxy host (api.botclaw.ru). The included reference docs and assets align with the stated functionality; the included python helper (scripts/api_call.py) is consistent with making HTTP requests.
ℹ 指令范围
Runtime instructions primarily direct the agent to call the provided proxy endpoints using scripts/api_call.py and to re-fetch/poll flows for Travelata/Level.Travel. That is coherent for a search tool. Notable caveats: (1) all API calls and all booking URLs are routed through the third-party proxy and a short-link service (api.botclaw.ru and resulting tpm.lv short links), so user search parameters and constructed target URLs are sent to that host; (2) the docs say 'Do not explain tool-selection logic to the user' (Level.Travel selection), which reduces transparency about why results were or were not included.
✓ 安装机制
No install spec (instruction-only) and only a lightweight Python helper is included; nothing is downloaded from remote URLs during an install step. This minimizes install-time risk. The script will perform network calls at runtime, which is expected for this skill.
✓ 凭证需求
The skill requests no environment variables, credentials, or config paths. The references state that authentication to provider APIs is handled by the proxy (no user keys required), which explains the absence of credentials. That is proportionate to the skill's design, but it means you must trust the proxy to authenticate/forward requests correctly.
✓ 持久化与权限
Skill is not always-included, has no elevated platform privileges, and does not request to modify other skills or system settings. It runs on demand and makes network calls via the included helper.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.2.32026/4/2
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install travel-search-ru
镜像加速npx clawhub@latest install travel-search-ru --registry https://cn.longxiaskill.com镜像同步中