节假日出行决策skill
v1.0.0节假日出行决策判官:一个帮用户在节假日前一键生成多维评估报告和最佳出行窗口建议的 skill。 用户只需输入一个节假日出游意图(如"五一想出去玩""国庆不想太挤""端午请哪天假"), 即可自动生成一份包含错峰出行窗口、拼假日期、预算范围、目的地裁决的完整决策报告。 只在用户表达节假日出行意图、想了解拼假方案、想获...
⭐ 0· 64·0 current·0 all-time
by@keyikoi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, SKILL.md, assets (holidays.json, templates, example report) and output schema all align: the skill only needs local holiday data, rules, and a report template to produce the decision reports it promises.
Instruction Scope
Runtime instructions stick to parsing user intent, calendar calculations, using local assets, producing an 8‑module report, and calling show_widget with the provided HTML template. One notable item: assets/report_widget.html loads Chart.js from https://cdn.jsdelivr.net — rendering the widget causes a remote script fetch and execution in the UI environment, which could expose report data to third parties or otherwise execute remote code when the widget is rendered. This is not required for core report generation and should be reviewed/sandboxed or the library bundled locally.
Install Mechanism
No install spec, no binaries, no code files beyond static assets and docs — lowest risk install surface.
Credentials
The skill declares no required environment variables, no credentials, and only reads its bundled JSON and reference files; requested access is proportional to the stated functionality.
Persistence & Privilege
always is false and the skill does not request persistent/system‑wide config or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other high‑risk properties.
Scan Findings in Context
[no_regex_findings] expected: The regex-based scanner reported nothing to analyze. This is expected because the skill is instruction-only with only static assets and no executable code files for the scanner to match.
Assessment
This skill appears coherent and implements exactly what it claims: generate a structured holiday decision report from bundled holiday data and rules. Before installing, review the widget HTML: it loads Chart.js from jsdelivr (external CDN) and executes client-side JS when the widget is rendered — consider bundling Chart.js locally or ensuring the rendering environment sandbox prevents remote code from accessing or exfiltrating report data. Verify the show_widget tool's behavior (does it render HTML locally or perform network requests / POSTs?). Also confirm you’re comfortable with the skill using default assumptions (default city, budget) when the user doesn't provide details. No credentials or installs are required, so the main operational/privacy risk is the optional widget rendering step.Like a lobster shell, security has layers — review code before you run it.
latestvk972m2rdrh1e67smy4fdrsevgh841997
License
MIT-0
Free to use, modify, and redistribute. No attribution required.