bleisure-micro-vacation
WarnAudited by ClawScan on May 10, 2026.
Overview
The travel-planning purpose is coherent, but the skill can automatically control a logged-in Chrome session through a shared CDP proxy and keeps persistent trip-memory logs.
Use this skill for map and travel suggestions only if you are comfortable with its local memory file and optional provider/API use. Be especially cautious about enabling Chrome remote debugging or the Xiaohongshu CDP mode, because that lets the workflow interact with your logged-in browser through a shared localhost proxy.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If CDP is available, the agent may open and inspect Xiaohongshu pages through your local browser as part of normal recommendations.
The skill instructs the agent to automatically use browser automation before output, without making each use explicitly optional or user-approved.
在主工作流 **推荐地点确定后、输出方案之前**,**自动执行** CDP 抓取。**这不是可选步骤**——与高德链接同等重要。CDP 可用时必须抓取
Only enable the CDP flow if you are comfortable with browser automation; otherwise keep Chrome remote debugging off and use the keyword fallback.
A browser eval channel can execute page scripts in a logged-in browser context if the local proxy is available.
The workflow uses a localhost eval endpoint to execute JavaScript in the user's browser page, which is a powerful escape-hatch mechanism.
curl -s -X POST "http://localhost:3456/eval?target=TARGET_ID" \
-d 'JSON.stringify([...document.querySelectorAll("section.note-item")].slice(0, 10).map(item => ...))'Avoid running the CDP/eval path unless you trust the local proxy and understand what page it is controlling.
The skill may use your existing Xiaohongshu login state rather than a separate, scoped API credential.
The skill relies on the user's logged-in Chrome/Xiaohongshu session to retrieve content, which is sensitive account/session access.
需要用户 Chrome 中 **已登录** 小红书才能看到完整搜索结果。如果提取内容为空,提示用户先在 Chrome 中登录。
Use keyword fallback if you do not want the agent interacting with logged-in social-media sessions.
Reviewing this package alone does not show what the reused helper script or localhost proxy actually does.
The skill depends on another skill's local script and shared proxy that are not included in this artifact set or declared in the install metadata.
本 Skill 复用 `holiday-enough` Skill 的 CDP 基础设施(同一台机器共享 `localhost:3456` 代理)。 ```bash node ~/.cursor/skills/holiday-enough/scripts/check-deps.mjs ```
Verify the `holiday-enough` skill and its CDP proxy before enabling this integration.
Your cities, landmarks, time windows, preferences, and feedback may be kept in a local memory file and reused in later sessions.
The skill persistently stores trip context and preferences for future personalization.
与本 `SKILL.md` **同目录** 的 `standups.md` 为追加式记忆... **结束后(强制)**...必须在 `standups.md` **文件末尾追加** 一条新记录
Review `standups.md` periodically, avoid storing sensitive details, and delete or edit entries if you do not want them reused.