Flyai / bargain-flights / lowprice / flights / hidden-city / ticketing / search / 捡漏机票 / 聪明买法 / 低价机票
v1.0.8帮助用户发现捡漏机票(隐藏城市票价)机会,通过分析联程航线找到比直飞更便宜的到达方案。当用户搜索机票、寻找低价航线、询问省钱买票技巧、或提到捡漏/弃程/隐藏票价时使用此技能。
⭐ 4· 167·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill claims to find hidden‑city (drop) opportunities and the included scripts (bargain_flights.py, qrcode.py) plus the JSON route database directly implement that: a local lookup of candidate 'drop' cities and QR generation for booking links. However the SKILL.md also requires installing an external CLI (@fly-ai/flyai-cli) and network access to a.feizhu.com for live flight/price queries; this is reasonable for live pricing but the top-level registry metadata earlier listed no required binaries/env — that mismatch is an inconsistency to be aware of.
Instruction Scope
Runtime instructions focus on: installing flyai-cli, running python scripts to get drop cities, calling the CLI to query flight data, filtering candidates, and generating QR links via api.qrserver.com. The instructions do not ask the agent to read arbitrary local files beyond the provided data/drop_routes.json. Two noteworthy behaviors: (1) the skill mandates always generating and displaying booking QR codes (it says 'must generate and display, do not ask user') which may be unexpected and could surface booking links without explicit user consent, and (2) the SKILL.md asserts 'does not retain user query history' but no code enforces server-side retention guarantees — that is a claim by the skill author, not a verifiable property here.
Install Mechanism
There is no packaged install spec in the registry entry (instruction-only), but SKILL.md directs the user/agent to run 'npm i -g @fly-ai/flyai-cli' (public npm). Installing an npm CLI is expected for live flight queries but carries the usual npm risks (supply‑chain/malicious packages). The included Python scripts are self-contained and only read local JSON and produce URLs; there are no obscure download URLs or archive extracts in the skill files.
Credentials
The skill requests no environment variables or credentials and the runtime behavior relies on a public CLI and public APIs (a.feizhu.com and api.qrserver.com). Sending origin/destination/date to the flight API is required for the functionality; no unrelated secrets or system config paths are requested.
Persistence & Privilege
The skill is not marked always:true and does not request modification of other skills or global agent configs. It does allow autonomous invocation by default (platform default), which is expected for a user-invocable helper; this combined with network calls increases blast radius somewhat but is not unusual for this class of skill.
Assessment
This skill appears to do what it says: local lookup of candidate 'drop' cities + live price queries via an external flight API and QR code generation. Before installing: (1) be aware it asks you to install an npm CLI (@fly-ai/flyai-cli) which will send trip queries (origin, destination, date) to a.feizhu.com — only install if you trust that package and the external service; npm packages carry supply‑chain risk. (2) The skill makes a privacy claim (no history retention) that we cannot verify from the code; treat that as an author statement, not a guarantee. (3) The skill will automatically generate and display booking QR links (it instructs not to ask the user) — if you prefer explicit consent before outgoing links are created/shared, modify the workflow to prompt the user. (4) Hidden‑city ticketing has operational and airline‑policy risks (baggage, frequent‑flyer/penalties); the skill warns about these but you should understand legal/contractual implications before using. (5) There is a small metadata inconsistency (registry shows no required binaries while SKILL.md requires node/python3/npm) — ensure your environment meets SKILL.md prerequisites before running.Like a lobster shell, security has layers — review code before you run it.
latestvk97fwtwzkcqbsk2cch5rh6ytt18456xp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.