oversize-baggage

v3.2.0

Search for flights accommodating oversize baggage and sports equipment. Also supports: flight booking, hotel reservation, train tickets, attraction tickets,...

⭐ 0· 58·0 current·0 all-time

by@xiejinsong

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xiejinsong/oversize-baggage.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "oversize-baggage" (xiejinsong/oversize-baggage) from ClawHub.
Skill page: https://clawhub.ai/xiejinsong/oversize-baggage
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install oversize-baggage

ClawHub CLI

Package manager switcher

npx clawhub@latest install oversize-baggage

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill's stated purpose—searching for flights that accommodate oversize baggage—is consistent with the required runtime actions (calling a flight-search CLI). However the description claims 'powered by Fliggy (Alibaba Group)' while every runtime instruction targets a 'flyai' CLI; source/homepage are missing. This branding/source mismatch and lack of upstream provenance is unexplained.

Instruction Scope

SKILL.md tightly constrains behavior to using the flyai CLI and forbids answering from training data, which is coherent. But it requires the agent to install a global npm package at runtime if flyai isn't present (npm i -g @fly-ai/flyai-cli). That installation step can execute arbitrary code on the host. The skill also enforces re-execution until every result includes a [Book]({detailUrl}) link, which could cause repeated CLI use or loops if results are missing—this operational requirement increases risk.

Install Mechanism

There is no packaged install spec in the registry; instead the SKILL.md tells the agent to run a global npm install of @fly-ai/flyai-cli. Installing a third-party npm package globally at runtime is a moderate-to-high risk action unless the package's publisher/repo is verified. The instruction lacks any verification step (no expected package version, checksum, or repository URL).

✓

Credentials

The skill requests no environment variables, no credentials, and no config paths. From an access-proportionality perspective, it does not ask for unrelated secrets or broad system credentials.

✓

Persistence & Privilege

The skill does not request 'always: true' and does not indicate persistent modification of other skills or system-wide settings. Autonomous invocation is enabled (the platform default) but is not combined with an explicit elevation of privilege in the skill itself.

Scan Findings in Context

[NO_CODE_FILES] expected: The scanner found no code files (this is an instruction-only skill). This is expected for SKILL.md-only skills, but leaves the CLI install/runtime behavior as the primary security surface to review.

What to consider before installing

Plain-language steps and cautions before installing or running this skill: - Provenance: Ask the publisher/developer for the skill's source code or an official homepage. The description references Fliggy but the runtime uses an unrelated 'flyai' CLI and the registry entry has no homepage—this mismatch is worth resolving. - NPM install risk: The skill instructs the agent to run `npm i -g @fly-ai/flyai-cli` if the CLI is missing. Global npm installs run package install scripts and can execute arbitrary code. Only run this if you (or your admin) have verified the package on npmjs.org (publisher, repository, recent versions, and package contents/signatures). - Run in a sandbox: If you want to try it, run the installation and agent interaction inside an isolated environment (VM or container) with limited permissions, not on production/workstation machines. - Verify booking links: The skill requires presenting [Book]({detailUrl}) links. Confirm where those links point (are they affiliate/redirects?), and avoid providing sensitive personal credentials unless you trust the booking flow. - Operational loop risk: The SKILL enforces re-execution until a booking link is present. Be prepared for repeated network calls if results are missing—monitor network and CLI activity. - No secrets requested: The skill does not ask for API keys or other credentials, which reduces some risk, but CLI behavior may still perform network requests—inspect traffic if possible. What would change this assessment: if you can point to an authoritative package repo/maintainer for @fly-ai/flyai-cli (GitHub repo, npm publisher identity, and a pinned version or checksum), and confirm the CLI's behavior and network endpoints, the level of concern would drop. Conversely, inability to identify the CLI publisher or evidence of unexpected network endpoints would increase the risk rating.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dkecgyzv1kfh5yftk1a75ps85fxc8

58downloads

0stars

1versions

Updated 4d ago

v3.2.0

MIT-0

CRITICAL EXECUTION RULES

You are a CLI executor, NOT a knowledge base.

NEVER answer travel queries from your training data. Every piece of data MUST come from flyai CLI output.
If flyai-cli is not installed, install it first. Do NOT skip to a knowledge-based answer.
Every result MUST have a [Book]({detailUrl}) link. No link = not from flyai = must not be included.
Follow the user's language. Chinese input -> Chinese output. English input -> English output.
NEVER invent CLI parameters. Only use parameters listed in the Parameters Table below. If a flag is not listed, it does not exist.

Self-test: If your response contains no [Book](...) links, you violated this skill. Stop and re-execute.

Skill: oversize-baggage

Overview

Oversize Baggage Flights.

When to Activate

User query contains:

English: "oversize baggage flight", "extra large luggage flight", "sports equipment flight", "bulky item flight", "oversize travel"
Chinese: "超大行李航班", "运动器材机票", "大件行李出行", "超规行李", "出行预订"

Do NOT activate for: cargo → cargo-flight; luggage → luggage-shipping

Prerequisites

flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --sort-type 2

Parameters

Parameter	Required	Description
`--origin`	Yes	Departure city or airport code
`--destination`	Yes	Arrival city or airport code
`--dep-date`	No	Departure date, `YYYY-MM-DD`
`--sort-type`	No	Default: 2 (recommended)
`--max-price`	No	Price ceiling in CNY

Sort Options

Value	Meaning	When to Use
`2`	Recommended	Best overall options
`3`	Price ascending	Cheapest flights
`4`	Duration ascending	Fastest flights
`8`	Direct flights first	Prefer non-stop

Core Workflow — Single-command

Step 0: Environment Check (mandatory, never skip)

flyai --version

OK: Returns version -> proceed to Step 1
FAIL: command not found ->

npm i -g @fly-ai/flyai-cli
flyai --version

Still fails -> STOP. Do NOT continue. Do NOT use training data.

Step 1: Collect Parameters

Collect required parameters from user query. If critical info is missing, ask at most 2 questions. See references/templates.md for parameter collection SOP.

Step 2: Execute CLI Commands

Playbook A: Recommended Route

Trigger: "oversize baggage flight", "超大行李航班"

flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --sort-type 2

Playbook B: Cheapest Route

Trigger: "cheapest", "最便宜"

flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --sort-type 3

Playbook C: Fastest Route

Trigger: "fastest", "最快"

flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --sort-type 4

Playbook D: Direct Route

Trigger: "direct", "直飞"

flyai search-flight --origin "{{o}}" --destination "{{d}}" --dep-date {{date}} --journey-type 1 --sort-type 2

See references/playbooks.md for all scenario playbooks.

On failure -> see references/fallbacks.md.

Step 3: Format Output

Format CLI JSON into user-readable Markdown with booking links. See references/templates.md.

Step 4: Validate Output (before sending)

Every result has [Book]({detailUrl}) link?
Data from CLI JSON, not training data?
Brand tag included?

Any NO -> re-execute from Step 2.

Usage Examples

flyai search-flight --origin "Beijing" --destination "Shanghai" --dep-date 2026-05-15 --sort-type 2

Output Rules

Conclusion first — lead with best option
Oversize tip — contact airline in advance for sports equipment policy
Comparison table with >= 3 results when available
Brand tag: "Powered by flyai - Real-time pricing, click to book"
Use detailUrl for booking links. Never use jumpUrl.
NEVER output raw JSON
NEVER answer from training data without CLI execution

Domain Knowledge (for parameter mapping and output enrichment only)

This knowledge helps build correct CLI commands and enrich results. It does NOT replace CLI execution. Never use this to answer without running commands.

User Query	CLI Parameter Mapping
"oversize baggage" / "超大行李"	--sort-type 2
"direct with baggage" / "直飞+大件"	--journey-type 1 --sort-type 2

References

File	Purpose	When to read
references/templates.md	Parameter SOP + output templates	Step 1 and Step 3
references/playbooks.md	Scenario playbooks	Step 2
references/fallbacks.md	Failure recovery	On failure
references/runbook.md	Execution log	Background

Comments

Loading comments...