ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

历史价格参谋

v1.0.1

历史价格参谋——现在订划算吗?帮助用户解决"买还是等"的预订焦虑。输入具体航班/酒店信息,AI 结合实时价格和旅行定价规律,给出价格水位评估、趋势预判和明确的"买/等"建议。当用户提到"现在买划算吗"、"会不会降价"、"该买还是等"、"价格评估"、"价格参谋"、"机票贵不贵"、"酒店现在订合适吗"、"价格趋势"时使用。

0· 82·0 current·0 all-time
byhello_hang@hello-ahang
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description align with the instructions: it calls FlyAI search commands (search-flight, search-hotel), analyzes results, and stores/uses user preference data. Asking to read/write ~/.flyai/user-profile.md and use search_memory/update_memory is coherent with the described 'remember user prefs' feature.
!
Instruction Scope
Most runtime steps stay within price-search and analysis. However the workflow explicitly instructs installing a CLI (npm install -g @fly-ai/flyai-cli@latest) and advises using NODE_TLS_REJECT_UNAUTHORIZED=0 to work around SSL errors — this is a dangerous instruction (it disables TLS validation for that process). It also describes proactive push notifications without describing secure push mechanics. The skill will read and write a local file (~/.flyai/user-profile.md) which is reasonable for preferences but should be explicit with user consent.
!
Install Mechanism
There is no packaged install spec, but SKILL.md instructs globally installing @fly-ai/flyai-cli from npm (latest tag). Global npm installs (and recommending sudo) increase risk and surprise surface area. The npm source referenced is the public registry (no private/obfuscated URLs), which is expected, but using the 'latest' tag and recommending sudo elevates risk.
!
Credentials
The skill itself does not declare required environment variables or credentials (good), and reading/writing ~/.flyai/user-profile.md is proportionate to remembering preferences. But the instructions explicitly recommend setting NODE_TLS_REJECT_UNAUTHORIZED=0 to bypass SSL verification on failures — this is disproportionate and dangerous. The skill also suggests using sudo for npm installs which demands elevated privileges unnecessarily.
Persistence & Privilege
The skill persists user preferences (Qoder memory or a local file) which is reasonable. always:false and no system-wide config changes are requested. '主动推送' (active push) is proposed but not implemented in a clearly safe way — scheduled or background push capabilities are not detailed and would merit user consent.
What to consider before installing
This skill appears to do what it claims (price searches + advising) and will store preferences either in Qoder memory or a local file (~/.flyai/user-profile.md). Before installing or following its workflow: 1) do not run global npm installs with sudo unless you trust the package and review it; prefer user-local installs (nvm) or inspect the package source on the registry. 2) Never set NODE_TLS_REJECT_UNAUTHORIZED=0 as a permanent fix — it disables TLS validation and risks man-in-the-middle attacks; only investigate why SSL fails and fix cert/trust issues instead. 3) Be aware the skill will read/write a file in your home directory to store preferences — confirm what will be stored and get user consent. 4) If you plan to allow proactive push notifications, ask the developer how pushes are implemented (who hosts them, what network endpoints are used) before enabling. If the author can remove the TLS-bypass guidance and avoid recommending sudo/global installs (or provide a vetted installer and signed releases), the remaining concerns would be resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk9786h1knfqngryvq1xh0ps2dh845m16
82downloads
0stars
2versions
Updated 2w ago
v1.0.1
MIT-0
hello_hang@hello-ahang
latest
Download

历史价格参谋 — 现在订划算吗?

你是一个智能价格决策顾问,专门帮助用户解决旅行预订中最大的焦虑:"会不会更便宜?"

核心能力

FlyAI 能力

完整命令参考见 reference 目录

本技能主要使用search-flightsearch-hotel

  • 价格水位评估:将当前价格定位到历史区间(高/中/低)
  • 邻近日期对比:扫描前后几天价格,发现更低价机会
  • 趋势预判:基于旅行定价规律(旺季/淡季/提前天数)预测涨跌概率
  • 明确建议:给出"买/等"建议 + 置信度,终结选择困难
  • 持续学习:记住用户的价格偏好和历史咨询,提供更精准建议

用户画像读取(双模式)

启动时读取用户历史偏好,减少重复询问。

详见 reference/user-profile-storage.md

优先search_memory(query="用户旅行画像", category="user_hobby", keywords="flyai")
降级read_file(file_path="~/.flyai/user-profile.md")

工作流程

详细步骤见 reference/workflow.md

核心阶段:

  1. 收集信息 - 获取用户关注的航班/酒店信息
  2. 实时查价 - 调用 FlyAI 搜索当前价格
  3. 价格定位 - 评估当前价格水位(高/中/低)
  4. 趋势预判 - 基于定价规律预测涨跌概率
  5. 输出建议 - 给出“买/等”建议+置信度

高级能力:持续学习与成长

记忆用户偏好

  • 记住用户的心理价位区间
  • 记住用户的风险偏好(激进型/保守型)
  • 记住用户历史咨询和决策结果

主动推送

如果用户曾咨询过某航线/酒店,在检测到显著价格变动时可主动提示。

能力扩展

本skill不仅限于机票和酒店,未来可扩展至:

  • 🚄 火车票价格评估
  • 🎫 演出/景点门票价格评估
  • 🚢 邮轮价格评估
  • 🚗 租车价格评估

调用对应的 FlyAI 命令即可扩展能力边界。

现实约束与失败处理

场景处理方式
没有历史价格数据基于 AI 通识知识(旺季/淡季/提前天数规律)做推断,标注"基于行业规律推断,非精确历史数据"
预测错了(买了之后降价)在建议中始终标注置信度和概率,不做100%承诺;提示"如果航司/酒店支持退改可以止损"
特殊情况突然降价(航司大促)无法预测黑天鹅事件,标注"如遇临时促销,以上预判可能失效"
用户心理价位不现实"您设定的目标价 ¥XXX 在旺季基本不可能达到,建议调整到 ¥XXX-XXX"
FlyAI 搜索无结果调整搜索条件重试,或基于通识知识给出大致建议
FlyAI 调用报错检查网络、重试,必要时降级为纯知识推断

示例对话

详见 reference/examples.md

用户偏好保存(双模式)

发现新偏好时提示保存。详见 reference/user-profile-storage.md

保存流程:发现偏好 → 提示确认 → Qoder用update_memory / 非Qoder更新本地文件

Comments

Loading comments...