ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

携程机票助手 - ctrip flight

v1.0.0

This skill should be used when the user wants to search for domestic flight tickets in China, query flight prices, find the cheapest flights, compare airline...

0· 208·3 current·3 all-time
byhiyu@hi-yu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hi-yu/ctrip-flights.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "携程机票助手 - ctrip flight" (hi-yu/ctrip-flights) from ClawHub.
Skill page: https://clawhub.ai/hi-yu/ctrip-flights
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ctrip-flights

ClawHub CLI

Package manager switcher

npx clawhub@latest install ctrip-flights
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the shipped artifacts: a Python script that queries Ctrip flight endpoints and an included c-sign.js used to compute anti-crawl headers. The code, usage, and provided city/province lists are coherent with a flight-search skill.
Instruction Scope
SKILL.md limits runtime actions to running scripts and installing quickjs; the Python code indeed only contacts Ctrip endpoints, fetches an HTML page to extract an FVP cookie, posts search requests, and writes a local cookie cache file. However the script executes bundled, heavily obfuscated JavaScript (c-sign.js) via QuickJS to compute a payload header — that reduces transparency and makes it harder to verify exactly what the runtime JS does.
Install Mechanism
No remote downloads or installers are used; it's instruction-only and requires pip install quickjs. All required code is bundled with the skill (no external arbitrary URL downloads), which is low-install risk.
Credentials
The skill requires no external credentials or environment variables (which matches its purpose). It does create and persist a local .cookie_cache.json in the script directory and generates UIDs/cookies used for requests. There are no other declared secrets, but the cookie content is stored on disk and the code disables TLS verification (see persistence of cookies and TLS concern).
Persistence & Privilege
always is false; the skill only writes a local .cookie_cache.json and does not request to modify system or other skills' configurations. It runs only when invoked.
What to consider before installing
This skill mostly does what it says, but take these precautions before installing or running it: - Review the bundled scripts yourself (or have someone you trust review them). The c-sign.js file is obfuscated, so its behavior is not immediately auditable even though it's used locally to compute request headers. - Note the Python code disables TLS certificate validation (SSL_CTX.verify_mode = ssl.CERT_NONE). That weakens transport security and could enable MITM attacks if DNS or network routing is tampered with; consider re-enabling certificate checks before use. - The script writes .cookie_cache.json (cookie and generated IDs) into the scripts directory. Don’t run it in a directory with sensitive files and avoid running as a privileged user. - If you only need data and want less risk, consider calling official, documented APIs (if available) or implement your own signing after understanding the JS logic. Run the script in an isolated environment (container/VM) if you must execute it. - If you are unsure about the obfuscated JS, request a deobfuscated or audited version from the author or avoid running it.
scripts/ctrip_flight.py:144
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk977c6j62yk03ca9ydvnvcwtd9841121
208downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
hiyu@hi-yu
latest
Download

Ctrip Domestic Flight Search

Search domestic flight tickets via Ctrip's API. Provides real-time flight information including prices, airlines, schedules, aircraft types, and low-price calendars.

Prerequisites

Install the required Python package before first use:

pip install quickjs

The skill also requires the _extract/c-sign.js file bundled in the scripts/ directory.

Usage

Run the search script located at scripts/ctrip_flight.py. Both departure and arrival support city names, IATA codes, or province names. When a province is specified, all airports in that province are queried and compared automatically.

python3 scripts/ctrip_flight.py 北京 上海 2026-04-02 --md
python3 scripts/ctrip_flight.py 北京 广东 2026-04-02 --md
python3 scripts/ctrip_flight.py 浙江 云南 2026-04-05 --json

Parameters:

  • Arg 1: departure — city name, IATA code, or province name
  • Arg 2: arrival — city name, IATA code, or province name
  • Arg 3: departure date in YYYY-MM-DD format
  • Arg 4 (optional): cabin — Y = Economy (default), C = Business, F = First
  • --json or -j: output structured JSON
  • --md or -m: output Markdown tables (default)

When a province is given (e.g. "广东"), the script queries all airport cities in that province (广州, 深圳, 珠海), compares prices across routes, and recommends the cheapest option.

Examples:

python3 scripts/ctrip_flight.py 北京 上海 2026-04-02
python3 scripts/ctrip_flight.py 广州 成都 2026-04-05 C

Programmatic Usage

import sys
sys.path.insert(0, "path/to/ctrip-flight/scripts")
from ctrip_flight import search_to_region, to_json, to_markdown

# Single city or province query — province auto-expands to all airports
result = search_to_region("北京", "广东", "2026-04-02")

# result contains:
#   query.isMultiRoute  — True if province was used
#   routeSummaries      — per-route lowest price comparison
#   bestRoute           — the cheapest route overall
#   allFlights          — combined flight list from all routes

md = to_markdown(result)
js = to_json(result)

Supported Locations

Cities: 北京, 上海, 广州, 深圳, 珠海, 成都, 杭州, 温州, 宁波, 武汉, 西安, 重庆, 南京, 天津, 长沙, 三亚, 海口, 昆明, 丽江, 西双版纳, 厦门, 福州, 大连, 沈阳, 青岛, 济南, 哈尔滨, 长春, 郑州, 贵阳, 太原, 兰州, 乌鲁木齐, 南宁, 桂林, 合肥, 南昌

Provinces (auto-expand to all airport cities): 广东(广州/深圳/珠海), 浙江(杭州/温州/宁波), 福建(厦门/福州), 山东(青岛/济南), 辽宁(大连/沈阳), 海南(三亚/海口), 云南(昆明/丽江/西双版纳), 广西(南宁/桂林), 黑龙江, 吉林, 河南, 湖北, 湖南, 江苏, 江西, 安徽, 陕西, 四川, 贵州, 山西, 甘肃, 新疆

Output

Two output formats are supported:

Markdown (--md, default): Renders flight data as Markdown with tables and summary. Ideal for LLM responses and chat display.

JSON (--json): Structured JSON with query, summary, directFlights, transferFlights, and lowPriceCalendar fields. Ideal for downstream processing.

How It Works

The skill reverse-engineered Ctrip's anti-crawl protections:

  • sign header: MD5(transactionID + cityCode + cityCode + date)
  • w-payload-source header: Ctrip's c-sign.js executed via QuickJS engine
  • FVP cookie: Extracted from server-rendered HTML page
  • token header: Not required (discovered via testing)

Comments

Loading comments...