qunar-travel-query

This skill appears to implement Qunar travel queries, but there are two things you should check before installing or enabling it: 1) Credential mapping mismatch — The SKILL.md tells you to configure a credential named 'qunar_api_key', but the script reads an environment variable named COZE_QUNAR_API_KEY_7612643102733467667. Confirm with the platform how credentials are mapped to environment variables; if the platform does not automatically set COZE_QUNAR_API_KEY_7612643102733467667 from your 'qunar_api_key' entry, the skill will fail. Do not paste your real API Key into an arbitrary text field unless you understand where it will be stored. 2) Endpoint / exfiltration risk — The script will send your API Key in the Authorization header to whatever api_endpoint is provided. Only use official, documented Qunar endpoints. If you or the agent accidentally supply a malicious endpoint, your API Key could be leaked. Prefer hard-coding or whitelisting known official endpoints in agent logic, or restrict network egress in the runtime environment. Additional practical steps: - Verify the source (this package lists no homepage and the source is 'unknown'); prefer skills from known/trusted publishers. - Confirm the runtime has the 'coze_workload_identity' dependency (or replace it with a standard requests library) and declare dependencies explicitly. - If you must test, do so in a sandboxed environment with network controls and a test/limited API Key that can be revoked. - If unsure, ask the skill author to (a) document exact env var name(s) the script expects, (b) declare dependencies, and (c) restrict or validate api_endpoint values.