Travel Information and News

This skill appears to do what it says (multi-source travel search + optional scraping), but check a few things before installing or running it with real credentials: - The skill requires a TAVILY_API_KEY (and optionally BRAVE_API_KEY) even though the registry metadata lists none — do not provide API keys unless you trust the Tavily endpoint and the skill owner. - SKILL.md mentions ~/.openclaw/.env, but search.py actually loads .env from the skill directory (../.env and .env). Ensure you place API keys where the script will read them or pass them via process env explicitly. - SKILL.md mandates translating all results to the query language. The visible code shows only simple language detection; verify the translation implementation exists and review which translation service is used (that may require additional credentials or cause unexpected network calls). - The browser scraping path will install/run system components: Xvfb, Chromium, and Node/Puppeteer; the script can start Xvfb and spawn a node process. Run scraping in a sandbox/container and review the browser_search.js and search.py code if you plan to enable --use_browser. - The README suggests installing a 'desktop-control' skill for simulated clicking. That skill grants broader automation (mouse/keyboard) — only install it if you understand and trust it. - The PDF path downloads a font at runtime from GitHub raw; if you have strict network policies, be aware of this runtime fetch. Recommendations: review the full (untruncated) search.py for any hidden network endpoints or translation calls; run initially without enabling browser scraping; use least-privilege API keys (scoped, rate-limited) and rotate them after testing; run in an isolated environment if you must enable the browser automation features.