HANHANLI
v1.4.0中国酒店比价 - 专门针对美团、去哪儿、携程、飞猪、途牛等中国本土平台的酒店搜索、价格比较、套餐分析和个性化推荐。
⭐ 0· 462·3 current·3 all-time
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (China hotel comparison) aligns with the files and algorithms included (search strategies, price calculation, recommendation engine). Requesting no credentials and no binaries is reasonable for an instruction-only skill that uses web fetching. However, the docs also describe device/environment recognition, session IDs, and local storage paths (/users/{user_id}/private/, /families/{family_id}/shared/) which imply filesystem access and persistent storage that are not declared in the metadata; this mismatch is noteworthy.
Instruction Scope
SKILL.md and the included docs instruct the agent to perform multi‑platform real-time queries and to collect and persist user profiles, history, and device/session signals. They reference reading implicit signals (dialog style, device/environment) and storing per-user and per-family data in filesystem-like paths. The package-value-analysis file also contains an embedded DSML/web_fetch invocation to a public Disney URL (expected), but the presence of unicode-control-chars and DSML tags suggests the runtime instructions may include hidden or non-obvious tooling directives. The skill does not declare that it will read or write local paths or access system identifiers—this is a scope mismatch and could enable broader data access than the metadata suggests.
Install Mechanism
There is no install spec; this is instruction-only plus documentation and one example script. No packages or external archives are downloaded by the skill metadata, which reduces installation risk. The only potential install/runtime risk is the included script file (scripts/hotel-search-example.sh) whose contents were not provided in the evaluation text; that file could perform network or system operations at runtime and should be inspected before use.
Credentials
The skill declares no required environment variables or credentials (appropriate for a read-only comparison tool). However, the documentation explicitly discusses storing personal data, family-shared data, and device/environment recognition—operations that could require filesystem access, device identifiers, or additional permissions. Because those capabilities are not reflected in requires.env or required config paths, the requested/declared environment is under-specified relative to the behavior described.
Persistence & Privilege
always:false and normal autonomous invocation are in place (no elevated persistent privilege declared). The documentation does describe persistent storage locations and a learning/feedback loop (history learning, profiles, shared family storage). That behavior implies the skill expects to persist user data but the metadata does not declare any config paths or permissions; this mismatch should be resolved. There is no explicit claim that the skill will modify other skills or system-wide settings.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md and other markdown files contain DSML tags and/or hidden/unusual characters flagged by the scanner. Hidden/unicode-control characters can be used to obfuscate instructions or hide tool-invocation directives; this is not expected for plain documentation and should be investigated. The package-value-analysis file contains a <|DSML|invoke name="web_fetch"> block which may be legitimate, but the control-character finding increases risk of concealed directives.
What to consider before installing
What to check before installing or enabling this skill:
1) Inspect scripts/hotel-search-example.sh and the two omitted files for network destinations and shell commands. Ensure they only call well-known public endpoints (platforms or official hotel sites) and don't POST data to unknown servers.
2) Search all files for hidden/unprintable/unicode control characters and for the DSML-like blocks. Confirm any web_fetch or tool-invoke calls only use trusted domains (no personal servers, IP addresses, pastebins, or URL shorteners).
3) Clarify persistence: the docs describe storing user and family data and device/session recognition but the skill metadata does not request filesystem or config-path access. If you plan to allow history/profile persistence, require transparency about where data will be stored, encryption, and deletion workflows.
4) Verify that no credentials (payment, platform API keys) are being collected or required. If the skill needs APIs for deeper integration, demand explicit declared env vars and a privacy/security rationale.
5) Run the skill in a sandboxed environment first (or with network monitoring) to confirm it only fetches public pages for price checks and does not exfiltrate data.
If you are not comfortable with hidden characters, undeclared filesystem usage, or unreviewed shell scripts, do not install or enable the skill until the maintainer provides cleared source (human-readable script contents), an explanation of the DSML/web_fetch invocations, and an explicit description of data persistence behavior and storage locations.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
中国酒店比价
核心功能
- 多平台比价:携程、去哪儿、美团、飞猪、途牛
- 智能推荐:基于用户画像和历史学习
- 套餐分析:深度拆解服务计算真实优惠
- 多用户管理:家庭共享和协同决策
- 强制5选项:确保选择多样性
使用场景
- 中国境内酒店搜索和比价
- 家庭旅行协同规划
- 套餐价值深度分析
- 个性化推荐和筛选
工作流程
- 收集用户需求
- 多平台实时查询
- 智能过滤和排序
- 提供不少于5个选项
- 详细分析和建议
文件结构
- search-strategy.md:搜索策略
- price-calculation.md:价格计算
- package-value-analysis.md:套餐分析
- multi-user-management.md:多用户管理
- user-profiles.md:用户画像
- user-history-learning.md:历史学习
- personalized-recommendation.md:推荐引擎
- user-preferences.md:用户偏好
- scripts/hotel-search-example.sh:示例脚本
版本: 1.4.0
更新: 2026-02-25
特色: 多用户管理 + 套餐分析 + 历史学习
Files
13 totalSelect a file
Select a file to preview.
Comments
Loading comments…