特价机票
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its flight-booking purpose, but it handles your flight account token and identity data unsafely and has overbroad refund behavior that needs review.
Only use this skill if you trust the flight service and are comfortable sending passenger name, phone number, ID number, and booking data to the external provider. Before installing for real bookings, ask the publisher to re-enable HTTPS certificate validation, store the API key securely, stop printing full PII, and add explicit per-passenger confirmation for refunds and changes.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local process or user with access to that temporary auth file could potentially reuse the stored flight account token to view or change bookings.
The skill persists a reusable flight-service API key and phone number for 90 days in a predictable temporary-file location and later auto-loads it for all API calls; the code does not show permission hardening or a clear logout/cleanup path.
return get_temp_file_path(".fbt_auth.json") ... "apiKey": api_key, "phone": phone, "expire_days": 90Store the token in a protected credential store or per-user config file with restrictive permissions, declare the credential in metadata, and provide a documented logout/delete command.
A network attacker or misconfigured proxy could intercept or alter flight-account tokens, passenger identity data, or booking/refund requests.
Authenticated API calls include the apiKey and business parameters, but certificate validation is explicitly disabled for the HTTPS request.
"apiKey": api_key, # 自动注入 apiKey ... context = ssl._create_unverified_context()
Remove the unverified SSL context and use normal certificate validation for all API calls before handling real bookings or identity data.
Passenger identity information may appear in chat transcripts, terminal output, logs, or other places where it is not necessary to complete the booking.
The booking script prints full passenger name, phone number, and ID number to stdout, even though the skill documentation says not to expose personal information in logs or replies.
print(f"乘客姓名: {passenger_name}") ... print(f"乘客手机号: {passenger_phone}") ... print(f"乘客证件号: {passenger_id}")Mask or omit full PII in script output, for example showing only partial phone/ID values, and keep full PII only in the API request.
For a multi-passenger order, a refund request could apply to every passenger ticket rather than only the passenger the user intended.
The refund command accepts only an order ID and amount, then automatically collects all passenger product IDs from the order and submits them together.
用法: python3 refund_apply.py <order_id> <refund_amount> ... for passenger in passenger_list: ... product_id_list.append(product_id) ... product_ids = ",".join(product_id_list)
Require explicit passenger/ticket selection and a final confirmation that lists the exact tickets and refund amount before submitting a refund.
If the temporary seat-state file is stale or altered, the agent could use the wrong fare or cabin information for a later booking step.
The skill stores selected fare/seat state in a temporary file and later relies on that stored state for ordering.
舱位信息保存到 `/tmp/flight_seat_items.json` 供下单使用
Use per-session protected state, validate that the selected flight/cabin still matches the current user-visible result, and reconfirm details immediately before booking or changing a ticket.
Users have less information to verify who maintains the skill and whether the API integration is trustworthy.
The registry information does not provide a source repository or homepage for a skill that handles external travel-service access and sensitive passenger data.
Source: unknown; Homepage: none
Publish a verifiable source/homepage and provider documentation, especially because the skill processes PII and booking authority.