首页 / 技能 / Tonight Hotel — 今夜低价订房

📦 Tonight Hotel — 今夜低价订房

v3.2.0

实时抓取今晚可入住的空房,一键比价锁定最低价,支持即时确认,出差夜宿说走就走。

0· 45·0 当前·0 累计
dingtom336-gif 头像by @dingtom336-gif
API工具生产力工具云服务
下载技能包
最后更新
2026/4/11
0
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
medium confidence
NULL
评估建议
Before installing or enabling this skill: 1) Verify the CLI package `@fly-ai/flyai-cli` publisher and inspect its code or its npm/GitHub page — don't install a global npm package from an unverified author. 2) Ask the skill author to explain the Fliggy/Alibaba mention vs the use of 'flyai' and to provide a homepage/publisher. 3) Confirm what authentication the CLI requires, where any credentials are stored, and whether the CLI phones home; the skill does not declare any required env vars but the ...
详细分析 ▾
用途与能力
The manifest/description mentions Fliggy (Alibaba) and many broad travel services (flights, visas, car rental), but the runtime SKILL.md only describes hotel searches via a CLI named flyai. That branding and scope mismatch is unexplained and suspicious: either the description is inaccurate or the skill is hiding additional behavior.
指令范围
The instructions force the agent to install and call an external CLI (@fly-ai/flyai-cli) for every answer and explicitly forbid using any training data. The runbook also instructs logging full user queries and CLI calls (including a snippet that appends logs to .flyai-execution-log.json), which means the skill may persist raw user inputs (potentially PII) to disk without declaring that behavior.
安装机制
There is no formal install spec in the registry, but SKILL.md mandates running `npm i -g @fly-ai/flyai-cli`. Installing a global npm package from an unverified publisher is a moderate risk (network download and arbitrary code execution). The skill does not provide publisher/homepage links to verify the package origin.
凭证需求
The skill declares no required environment variables or credentials, which seems fine for a CLI-based flow; however, the external CLI will likely require some form of authentication (API keys, account login) that the skill does not document. That missing explanation reduces transparency about what secrets might be needed or stored.
持久化与权限
The runbook explicitly suggests appending an execution log to `.flyai-execution-log.json` if filesystem writes are available. The skill can therefore create persistent logs containing raw user queries and CLI outputs. This persistent local storage of user data is not declared in the skill metadata and is a privacy risk.
安全有层次,运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv3.2.02026/4/11

NULL

可疑

安装命令

点击复制
官方npx clawhub@latest install tonight-hotel
镜像加速npx clawhub@latest install tonight-hotel --registry https://cn.longxiaskill.com
数据来源ClawHub ↗ · 中文优化:龙虾技能库