分贝通机票助手

This skill appears to implement a legitimate flight booking workflow, but take these precautions before installing or using it: - Expect that the skill will send user PII (name, phone, ID number) and the saved apiKey to an external HTTP API — only proceed if you trust the service endpoint. - The code disables TLS certificate verification (ssl._create_unverified_context()). This allows man-in-the-middle attacks and can expose PII and apiKey. Prefer a version that verifies TLS and never run it against sensitive data until fixed. - SKILL.md says apiKey is saved to ~/.fbt_auth.json but the code actually saves/loads it from the system temporary directory (tempfile.gettempdir(), e.g., /tmp). Temporary directories can be accessible to other local users on some systems — consider changing the storage path and file permissions to a user-only location, or audit the file after use. - The API endpoint can be overridden via the FBT_API_URL environment variable (not documented). Verify the endpoint (default is https://app-gate.fenbeitong.com/air_biz/skill/execute) before use; do not allow it to point to an attacker-controlled server. - If you must use this skill, consider auditing or patching common.py to: enable certificate verification, store auth in a secure user path (with restrictive permissions), and document/disable any endpoint override unless explicitly needed. Given these concrete risks (disabled TLS verification, secret stored in temp dir, and undocumented endpoint override), label the package 'suspicious' until the above issues are addressed or you can confirm the service and deployment environment are secure.