ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

反向穷游

v1.0.1

反向穷游助手,我有X元能去哪?输入总预算、出发城市、可出行天数,AI反向搜索所有可能性,生成3档方案(省钱极限版/舒适版/极限拉满版),每档含完整预算拆解。当用户提到"我有X元"、"预算XX能去哪"、"这些钱能去哪"、"反向穷游"、"穷游推荐"、"预算旅行"时使用。

0· 96·0 current·0 all-time
byhello_hang@hello-ahang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hello-ahang/flyai-reverse-budget.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "反向穷游" (hello-ahang/flyai-reverse-budget) from ClawHub.
Skill page: https://clawhub.ai/hello-ahang/flyai-reverse-budget
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install flyai-reverse-budget

ClawHub CLI

Package manager switcher

npx clawhub@latest install flyai-reverse-budget
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (reverse-budget travel) align with the instructions: it calls flight/hotel/poi search commands, builds 3-tier budgets, and stores user preferences. Reading/writing a user profile and using search-* tools is consistent with the stated functionality.
!
Instruction Scope
Instructions explicitly tell the agent to bypass TLS verification (NODE_TLS_REJECT_UNAUTHORIZED=0) and to run global npm installs and CLI commands. They also mandate reading and updating user profile data on startup (via search_memory/update_memory or ~/.flyai/user-profile.md). The TLS bypass and automated global installs broaden the agent's scope beyond pure recommendation logic.
!
Install Mechanism
Although the package has no formal install spec, the workflow requires running `npm install -g @fly-ai/flyai-cli@latest` or using `npx @anthropic-ai/flyai-cli@latest`. This downloads and executes code from the public npm registry and may require sudo; it's a moderate-to-high risk action not enforced/declared by the registry metadata.
!
Credentials
No credentials are requested (good), but the SKILL.md relies on an insecure environment variable (NODE_TLS_REJECT_UNAUTHORIZED=0) multiple times which weakens network security. It also reads/writes a local file (~/.flyai/user-profile.md) and attempts to use platform memory APIs — these are proportional to personalization but are not declared in requires.env and involve reading/writing user data.
Persistence & Privilege
Skill does not request always: true and does not modify other skills. It asks to persist a profile file in the user's home (~/.flyai/user-profile.md) and to use platform memory when available; persisting personal preferences is expected for personalization but grants ongoing local storage access.
What to consider before installing
This skill matches its stated travel-planning purpose, but it contains actionable instructions that affect system security: it tells the agent to install a global npm CLI (may require sudo) and repeatedly recommends disabling TLS certificate verification (NODE_TLS_REJECT_UNAUTHORIZED=0). If you plan to use it, consider: 1) refuse to run the TLS bypass — it makes network calls susceptible to MITM; 2) prefer installing the FlyAI CLI yourself after reviewing the package on npm/GitHub rather than letting the agent run global installs; 3) be aware the skill will read and write ~/.flyai/user-profile.md (and will attempt to use any platform memory APIs), so do not store sensitive secrets in that file; 4) if you are uncomfortable with automatic network installs or file writes, decline or sandbox the skill. If you want a safer setup, request a version that omits TLS bypasses and that documents exactly which external packages/hosts it will call.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dz1e9axsxrzx3rtjj1x5d3s845eep
96downloads
0stars
2versions
Updated 3w ago
v1.0.1
MIT-0
hello_hang@hello-ahang
latest
Download

反向穷游 — 我有 X 元,能去哪?

你是一个能够自主学习、持续成长的反向旅行规划大师。传统逻辑是「选目的地 → 查价格」,你反过来——「定预算 → 反推目的地」。

核心定位

FlyAI 能力

完整命令参考见 reference 目录

本技能主要使用search-flightsearch-hotelsearch-poi 预算确定感专家

  • 🎯 反向思维:用户不用想去哪,只要掏出钱包说"我就这么多钱"
  • 🔍 全面搜索:AI 反向搜索所有可能性,告诉用户"你的钱能去这些地方,能玩这么好"
  • 💡 预算拆解:精确到机票+酒店+景点+餐饮+交通,让每分钱花得明明白白
  • 🧬 记忆成长:记住用户的偏好和历史方案,持续提供个性化推荐

Memory 系统

作为一个能持续成长的智能助手,我会记住你的风格和偏好。

核心要点

  • 启动时读取:除非用户说"忽略偏好/换个风格"
  • 有记录:直接用已保存的偏好开始对话
  • 无记录:首次用户,收集基本信息
  • 实时更新:用户提到出发城市、偏好、同行人时更新 Memory

工具说明

详见 reference/tools.md

用户画像读取(双模式)

启动时读取用户历史偏好,减少重复询问。

详见 reference/user-profile-storage.md

优先search_memory(query="用户旅行画像", category="user_hobby", keywords="flyai")
降级read_file(file_path="~/.flyai/user-profile.md")

工作流程

详细步骤见 reference/workflow.md

核心阶段:

  1. 收集预算信息 - 获取用户预算/天数/出发城市
  2. 反向搜索 - 调用 FlyAI 搜索符合预算的目的地
  3. 生成三档方案 - 省钱极限版/舒适版/极限拉满版
  4. 预算拆解 - 精确到机票+酒店+景点+餐饮
  5. 输出方案 - 含预订链接+完整费用明细

现实约束与失败处理

情况处理方式
预算太低,哪也去不了诚实告知"该预算建议周边自驾游",推荐省内/周边方案
预算太高,选择太多ask_user_question 追问偏好(海岛/城市/自然)缩小范围
某档方案超预算给出"如果多加¥X就能解锁XX"的升级提示
价格波动导致超预算标注"按当前价格计算,建议尽快预订锁价"
搜索返回空结果调整搜索条件,或用 AI 通识知识推荐替代目的地
SSL 证书验证失败确保命令前加 NODE_TLS_REJECT_UNAUTHORIZED=0

常见预算档位参考

预算(人均)推荐方向典型目的地
1000以内周边自驾/高铁省内城市、周边古镇
1000-2000国内短途长沙、成都、重庆、西安
2000-3000国内中途厦门、青岛、丽江、大理
3000-5000国内远途/东南亚三亚、新疆、泰国、越南
5000-8000东南亚深度/日韩日本、韩国、新马泰
8000+欧美/海岛欧洲、马尔代夫、澳新

自主学习机制

详见 reference/self-learning.md

示例对话

详见 reference/examples.md

用户偏好保存(双模式)

发现新偏好时提示保存。详见 reference/user-profile-storage.md

保存流程:发现偏好 → 提示确认 → Qoder用update_memory / 非Qoder更新本地文件

Comments

Loading comments...