📦 Meituan Travel基于美团酒旅供给,处理旅游出行需求,包括提供酒店、机火、门票、度假等商品的查询交易能力,以及定制化旅行攻略能力,打通从“灵感启发”到“一键下单”的全链路。 — Meituan Travel基于美团酒旅供给,处理旅游出行需求,提供酒店、机火、门票、度假等商品的查询与交易能力,以及定制化旅行攻略能力,打通从“灵感启发”到“一键下单”的全链路。
v1.0.020分钟前
0· 16·0 当前·0 累计
by 下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
medium confidenceThe skill's behavior mostly matches a travel-API helper, but its runtime instructions ask you to paste a sensitive API token into chat, write that token to a local config file, and install an external npm CLI (not declared in the metadata) — these mismatches and operational risks merit caution.
评估建议
This skill appears to be a legitimate Meituan travel CLI wrapper, but there are important risks and inconsistencies to consider before installing or using it:
- Token handling: The skill asks you to paste your Meituan developer API token into the chat and will save it to ~/.config/meituan-travel/config.json. Chat histories and platform logs may retain that token. Prefer providing credentials via a secure secret store (if available) rather than pasting them into conversation. If you must paste a...详细分析 ▾
ℹ 用途与能力
The name/description (Meituan travel assistant) aligns with the actions described (querying/booking via a Meituan travel CLI and using an API token). However, the SKILL.md requires reading/writing a local config path (~/.config/meituan-travel/config.json) and installing an npm CLI, yet the registry metadata declares no config paths, no required binaries, and no install spec — this omission is an inconsistency.
⚠ 指令范围
The instructions explicitly direct the agent to: prompt the user to paste an API token into chat, save that token into ~/.config/meituan-travel/config.json via a shell heredoc, and execute the mttravel CLI. Asking users to paste highly sensitive tokens into conversation history and instructing the agent to write them to disk are security-sensitive actions that go beyond simple read-only queries. The skill also mandates verbatim passthrough of CLI output (including images/links), and special behavior for certain channels (WeChat), which increases the chance of leaking data into channels or tools not under your control.
⚠ 安装机制
There is no install spec in the registry entry, but SKILL.md instructs users to run npm i -g @meituan-travel/travel-cli. That installs third-party code globally from the public npm ecosystem; the package source/reputation is not provided here. An instruction-only skill that depends on installing and running an external CLI is higher risk because external code will run on the host and the registry metadata does not declare or vet that dependency.
⚠ 凭证需求
The skill declares no required environment variables or config paths, yet it reads and writes a local config file in the user's home directory to store an API token. Requesting and storing a sensitive token is proportionate to the skill's purpose, but the SKILL.md's requirement to obtain the token via in-chat copy/paste (which may be retained in logs) is a risky practice and should have been handled via a declared secure secret mechanism instead.
ℹ 持久化与权限
The skill does not set always: true and does not request elevated system-wide configuration. It does instruct writing to ~/.config/meituan-travel/config.json (its own config file), which is a normal level of persistence for a CLI-backed integration — but this file access was not declared in the registry metadata, and storing credentials on disk increases persistent exposure if the machine or backups are compromised.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/21
meituan-travel v1.0.0 - 首个版本发布,提供基于美团酒旅的全链路旅行服务查询能力。 - 支持酒店、机票、火车票、景点门票、度假等一站式查询与预订。 - 实现灵活的 Token 鉴权管理与失效处理流程。 - 严格制定并规范输出格式,确保信息完整、图片链接合规展示。 - 明确使用范围,排除非旅行相关业务及出境服务指引。 - 提供可靠的错误处理和用户引导。
● Pending
安装命令
点击复制官方npx clawhub@latest install meituan-travel
镜像加速npx clawhub@latest install meituan-travel --registry https://cn.longxiaskill.com镜像同步中