flight-monitor
v1.1.1机票查询与价格监控技能。支持单程/往返查询、价格阈值提醒、定时监控、手机推送通知(Bark/Server酱/PushDeer)。触发词示例:查一下北京到三亚的机票、帮我看看上海飞成都下周六往返票、监控杭州到西安3月26日机票低于500提醒我、查看所有机票监控任务。
⭐ 0· 206·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Overall the requested files, network calls, and local storage align with a flight search + monitoring skill. Minor inconsistency: SKILL.md states '无需 API 密钥' (no API keys required) while search_flights.py supports an optional zbape API key stored in ~/.workbuddy/flight-monitor/api_config.json; this is optional and not required for the primary Ctrip-based flow, but the README claim is slightly optimistic.
Instruction Scope
SKILL.md gives precise runtime steps: run search_flights.py (primary), fall back to a single web_search only if needed, record results via price_history.py, and send notifications via notify.py. The instructions explicitly forbid arbitrary web_fetch and limit web_search use to one query, and the scripts operate only on per-route files under ~/.workbuddy. There are no instructions to read unrelated system files or environment secrets.
Install Mechanism
No install spec / remote downloads are present — the skill is instruction + bundled scripts. All code is local and there is no installer that fetches arbitrary remote archives. This is a lower-risk distribution model (files are present in the skill bundle).
Credentials
The skill requests no environment variables or platform credentials. It does write/read configuration and history under the user's home (~/.workbuddy). Optional credentials are stored only if the user configures them: push service keys (Bark/Server酱/PushDeer) and an optional zbape API key. Storing user-provided keys locally is expected for push/API features but users should be aware these keys are stored in plaintext JSON in their home directory.
Persistence & Privilege
The skill does persist monitor tasks and history under ~/.workbuddy and creates TOML/JSON files there; always: false and it does not request system-wide privileges. Code includes path boundary checks and whitelist regexes to prevent path traversal. The skill does not modify other skills' configs or request permanent platform-level privileges.
Assessment
What to know before installing:
- Behavior: The skill queries public flight APIs (Ctrip) and, when necessary, suggests a single web_search for the AI to run. It stores monitor configurations and price history in your home directory under ~/.workbuddy/flight-monitor and ~/.workbuddy/automations.
- Credentials: No credentials are required by default. If you want push notifications you must supply a push service key (Bark/Server酱/PushDeer); these keys are saved to ~/.workbuddy/flight-monitor/notify_config.json. The search tool also supports an optional third-party zbape API key saved to ~/.workbuddy/flight-monitor/api_config.json. Treat those files like any other sensitive config (permission them appropriately).
- Network: The scripts make outbound HTTPS requests to booking/OTA endpoints (e.g., flights.ctrip.com) and to push-service APIs. If you have network or privacy concerns, review the code and consider running it in a restricted environment.
- Safety checks: The code uses input validation and path boundary checks to mitigate path traversal and unsafe filenames. monitor_manager.py intentionally avoids subprocess/os.system calls; monitor 'run' prints prompts rather than executing shell commands.
- Minor note: SKILL.md's claim 'no API keys required' is true for the main Ctrip flow, but an optional zbape key is supported — only supply keys you trust.
If you want higher assurance, inspect the bundled scripts (they are included) and confirm you are comfortable with local config files and outbound network connections before enabling automatic monitoring.Like a lobster shell, security has layers — review code before you run it.
latestvk97bxns3n3qns4a5hb0vsx4nan839mgp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.