📦 Urgent Flights — 48小时急订机票
v3.2.0一键搜索未来48小时内起飞航班,实时显示余座与价格,专为说走就走或紧急差旅设计。
0· 39·0 当前·0 累计
by 下载技能包
最后更新
2026/4/12
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Things to consider before installing: (1) The skill will try to install a global npm package (@fly-ai/flyai-cli) at runtime if the CLI is missing — review that package on npm/GitHub first or run in an isolated environment. (2) The SKILL.md says it will write an execution log (including the raw user query) to .flyai-execution-log.json — expect local persistence of whatever users input and verify you are comfortable with that. (3) The description mentions Fliggy but the CLI is flyai — ask the publ...详细分析 ▾
ℹ 用途与能力
Name/description: urgent last‑minute flights. Instructions and playbooks consistently focus on flight search and last‑minute scenarios. However the description claims “Powered by Fliggy (Alibaba Group)” while the runtime CLI is @fly-ai/flyai-cli — an unexplained branding mismatch. The description also lists many extra services (hotel, visa, insurance) but the SKILL.md only documents flight CLI commands. These are not definitive red flags but are inconsistent and worth checking with the publisher.
⚠ 指令范围
SKILL.md mandates always sourcing every answer from the flyai CLI and explicitly forbids using any training data. It requires installing the flyai CLI at runtime if absent and requires producing outputs with booking links from CLI JSON only. The runbook instructs persisting an execution log that includes the raw user query. Writing user queries to a local .flyai-execution-log.json file is not declared in the skill metadata and may persist potentially sensitive input. The skill also suggests escalating install attempts (commented fallback shows `sudo npm i -g ...`), which could require elevated privileges.
⚠ 安装机制
There is no declared install spec in the registry metadata, yet the runtime instructions require running `npm i -g @fly-ai/flyai-cli` if the CLI is missing. That means the agent will download and install a third‑party npm package at runtime. Installing a global npm package is a non‑trivial operation (network download, arbitrary code execution). The package is from the public npm ecosystem (traceable) but this runtime installation is not declared in the registry metadata and increases risk.
ℹ 凭证需求
The skill requests no environment variables or credentials, which is proportionate for a read-only flight search. However the runbook log includes the full user_query and CLI command history; those may capture PII (names, emails, passport fragments) if users include them. The skill does not declare any config paths but instructs writing to a local log file, so data persistence is not explicit in the metadata.
⚠ 持久化与权限
The skill will persist an execution log to .flyai-execution-log.json 'if file system writes are available' and logs raw user queries and CLI calls. This creates local persistence of user inputs and CLI results without that persistence being declared in the manifest. The skill does not request always:true, so it won't be force-enabled, but the logging behavior and the potential need to run global npm installs (with possible sudo) raise privilege/persistence concerns.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv3.2.02026/4/12
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install urgent-flights
镜像加速npx clawhub@latest install urgent-flights --registry https://cn.longxiaskill.com