全能订机票国内版-仅支持查询
PassAudited by ClawScan on May 12, 2026.
Overview
This is a query-only flight-search skill, with the main cautions being that it runs an external latest-version CLI and needs a RollingGo API key.
Before installing, make sure you trust RollingGo and the rollinggo-flight package, because the skill runs external latest-version CLI code. Store ROLLINGGO_API_KEY in per-skill configuration if possible, and use the skill only for flight search results, not booking or payment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is configured too broadly, more processes or skills may be able to use it than necessary.
The skill needs a provider API key visible to the process, and the docs correctly recommend per-skill scoping while also showing broader host-wide options.
本技能需要进程可见的 `ROLLINGGO_API_KEY`。...优先使用 per-skill 配置。
Use per-skill environment configuration when possible, avoid pasting the key into shared logs or transcripts, and rotate the key if it is exposed.
A future package update could change what code runs when the skill is used.
The skill intentionally runs the latest external CLI package rather than a pinned version, so behavior can change when the package is updated.
本技能默认策略:每次执行都使用最新发布版本。... `npx --yes rollinggo-flight@latest ...`
Install only if you trust the RollingGo package source; for stricter environments, prefer a reviewed and pinned version instead of always using latest.
If a user chooses this install method, remote installer code runs on their machine.
The optional standalone-binary setup path executes a downloaded installer script directly in the shell.
curl -fsSL https://raw.githubusercontent.com/RollingGo-AI/rollinggo-flight-cli/main/scripts/install.sh | sh
Prefer standard package-manager installation where possible, or inspect and verify the installer script before running pipe-to-shell commands.