获取一嗨租车的租车价格
v1.0.0Use when the user needs a China domestic rental-car reference price, especially for same-day or holiday travel where train-station or airport store choice ma...
⭐ 0· 50·0 current·0 all-time
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The name/description say it will query OneHai using the user's logged-in Google Chrome on macOS; the scripts (query-onehai-live-chrome.mjs, extract.mjs, onehai-policy.mjs, etc.) implement exactly that flow (open a Chrome tab via osascript, run in-page JS against 1hai.cn endpoints, parse results, OCR price canvases). No unrelated services, binaries, or environment variables are requested.
Instruction Scope
The SKILL.md and code explicitly require and use the user's logged-in Chrome session and AppleScript automation to execute JS in Chrome and to post to OneHai endpoints. This is within scope for the stated task, but it does mean the skill runs code inside your browser context (which has access to authenticated site state). The instructions also require tesseract and use temporary files for OCR. There is no code that sends results to third-party servers other than OneHai; outputs are returned via stdout.
Install Mechanism
There is no install spec or remote download. The skill is instruction-plus-local-scripts only; it runs local Node scripts and calls system binaries (osascript, tesseract). No archives or external installers are fetched by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is appropriate. However, it depends on the user's logged-in Chrome session (implicitly using browser cookies/session state) and requires enabling Chrome's 'execute JavaScript via Apple Events' setting — both grant the skill access to authenticated OneHai pages. Treat the browser session as a sensitive credential when consenting to use.
Persistence & Privilege
The skill is not always-enabled, does not modify other skills or system-wide agent settings, and does not request elevated or persistent presence. It briefly opens a Chrome tab and writes temporary OCR files, then removes them; it does not persist new system-wide configuration.
Assessment
This skill appears to do what it claims, but it operates by executing JavaScript inside your logged-in Google Chrome session via AppleScript and then running local OCR (tesseract). Before installing or using it: (1) confirm you are comfortable that the skill will have access to your Chrome session for OneHai (cookies/session state can act like credentials); (2) only enable the Chrome setting it requires if you trust the skill and understand macOS automation risks; (3) run it from a Chrome profile that does not contain unrelated sensitive sessions if you are cautious (or log out of other accounts); (4) ensure tesseract is installed from a trusted source; (5) review the included scripts (they POST only to https://www.1hai.cn and return JSON locally) if you want to verify there is no unexpected network exfiltration.scripts/query-onehai-live-chrome.mjs:52
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latest
China Rental Price
Overview
This skill is for China domestic self-drive rental price checks in travel-planning conversations. The currently reliable path is OneHai via the user's logged-in Google Chrome session on macOS.
When To Use
- The user asks for a China domestic rental-car price, same-day quote, or holiday quote.
- The user wants a station or airport pickup store, not an arbitrary citywide sweep.
- The user shows a "0 cars" page and needs to know whether it is truly sold out or blocked by a peak-period minimum-rental rule.
Preconditions
- Use absolute dates and times.
- Google Chrome must already be logged into 一嗨租车.
- Chrome must have
查看 > 开发者 > 允许 Apple 事件中的 JavaScriptenabled. - macOS needs
osascriptandtesseract.
Workflow
- Prefer scene-based store targeting:
- High-speed rail or train arrival:
train-station - Flight arrival:
airport - Only use citywide selection when the user did not specify a transit scene.
- High-speed rail or train arrival:
- If the user knows the exact store, pass
--pickup-locationand--dropoff-location. - Run
scripts/query-onehai-live-chrome.mjs. - Interpret the result before answering:
bookingRestrictionmeans a policy limit such as a holiday minimum-rental rule. Do not describe it as ordinary sellout.priceMinandvehicleSamplesare reference prices captured at query time, not a guaranteed final checkout price.availableCars = 0withoutbookingRestrictionis the closer match to true no inventory at that store and time.
Commands
City plus transit scene:
node /Users/shenmingjie/.codex/skills/china-rental-price/scripts/query-onehai-live-chrome.mjs \
--pickup-city 宣城 \
--pickup-scene train-station \
--pickup-datetime 2026-05-01T15:30 \
--dropoff-datetime 2026-05-04T10:30
Exact store:
node /Users/shenmingjie/.codex/skills/china-rental-price/scripts/query-onehai-live-chrome.mjs \
--pickup-city 宣城 \
--pickup-location "泾县高铁站自助点" \
--dropoff-city 宣城 \
--dropoff-location "泾县高铁站自助点" \
--pickup-datetime 2026-05-01T10:00 \
--dropoff-datetime 2026-05-04T10:00
Output Shape
The script prints JSON with fields such as:
platformstatuscapturedAtbookingUrlselectedStorepriceMinpriceTotalIfAvailableavailableCarsvehicleSamplesbookingRestrictionwarnings
Response Guidance
- Report the selected store explicitly so the user knows whether the quote came from a train-station store, airport store, or another branch.
- Keep the wording as
参考实时价. - If the query is part of a broader itinerary, combine the rental result with the user's actual arrival mode instead of searching every store in the city.
- Be transparent that the reliable automated path in this skill is currently OneHai.
Comments
Loading comments...