v1.0.0

AI机票预订助手

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:22 AM.

Analysis

The skill matches its flight-booking purpose, but it can change real bookings and handles travel credentials and personal data in ways that need careful review.

GuidanceInstall only if you trust this flight service and are comfortable giving it passenger names, phone numbers, ID numbers, and authority over flight orders. Before using it, confirm that TLS verification and token storage are fixed, and require the assistant to show the exact itinerary, passengers, fees, and action before any booking, refund, cancellation, or change is submitted.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/refund_apply.py

for passenger in passenger_list:
        product_id = passenger.get("productId", "")
        if product_id:
            product_id_list.append(product_id)
...
product_ids = ",".join(product_id_list)
...
response = refund_apply(order_id, product_ids, refund_amount)

The refund script gathers all passenger ticket product IDs from an order and submits a refund request once invoked, without an in-script final confirmation or passenger-level scoping.

User impactA mistaken or over-eager invocation could submit a refund request for all tickets on an order, affecting real travel plans and money.

RecommendationRequire an explicit final confirmation immediately before refund, cancel, change, or order creation; show the affected passengers, order number, fees, and consequences; consider an in-script confirmation flag or selected-passenger argument.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/create_order.py

print(f"乘客姓名: {passenger_name}")
print(f"乘客手机号: {passenger_phone}")
print(f"乘客证件号: {passenger_id}")

The script prints full passenger PII to stdout during order creation, despite the skill documentation telling users not to expose personal information in logs or replies.

User impactFull names, phone numbers, and identity document numbers may appear in assistant output or logs unnecessarily.

RecommendationMask sensitive fields in all script output, avoid echoing full ID numbers or phone numbers, and ensure order-detail responses are redacted by default.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/common.py

def get_auth_file_path():
    # 使用临时目录下的文件（避免权限问题）
    return get_temp_file_path(".fbt_auth.json")
...
"apiKey": api_key,
"phone": phone,
"auth_time": datetime.now().isoformat(),
"expire_days": 90

A reusable account apiKey and phone number are persisted for 90 days in a temporary-directory file, and later calls automatically load and use that apiKey.

User impactThe stored token can authorize future flight-account actions, so weak or unclear storage increases the impact if the local file is exposed or reused unexpectedly.

RecommendationDeclare the credential requirement, store tokens in a per-user protected credential store or file with restrictive permissions, provide a logout/delete-token flow, and align documentation with the actual storage path.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityHighConfidenceHighStatusConcern

scripts/common.py

return os.environ.get("FBT_API_URL", "https://app-gate.fenbeitong.com/air_biz/skill/execute")
...
context = ssl._create_unverified_context()
with urllib.request.urlopen(req, context=context) as response:

All API calls can be redirected by an undeclared environment variable and are made with certificate verification disabled, while the payloads include apiKey and booking/PII data.

User impactPersonal information and the account apiKey may be sent over a connection that does not verify the server certificate, increasing interception or misdirection risk.

RecommendationUse default verified TLS, remove the unverified SSL context, declare and restrict any endpoint override, and avoid sending credentials or PII to non-approved endpoints.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

scripts/create_order.py

seat_items_file = get_temp_file_path("flight_seat_items.json")
...
for item in seat_items:
    if item.get("display_index") == seat_index_int:
        seat_item = item
        break

Order creation trusts a generic temporary file of prior seat results and maps the user's selected number to that stored data, without binding it to a session, user, route, or order.

User impactA stale or overwritten temporary file could cause the assistant to create an order for the wrong stored flight/seat information.

RecommendationUse per-session state files, bind stored seat data to the displayed flight/date/order, expire it quickly, and re-display the exact itinerary and price for confirmation before submitting.