同程程心 Tongcheng Chengxin Travel Search
v0.5.0同程程心 Skill - 基于同程旅行大模型(程心)的在线旅游搜索能力。提供更专业的机票、火车票、酒店、度假产品(自由行/跟团游)、旅游攻略、行程规划、特价机票、汽车票、长途汽车、景区、门票等的查询能力,基于同程官方数据,更加实时准确可靠,一键进入预订页面,让旅行更简单,更快乐。
⭐ 2· 59·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, required binary (node), and the single declared credential (CHENGXIN_API_KEY) match a travel search / booking-query skill. The code files are travel-specific query scripts (flight/train/hotel/bus/scenery/etc.), which is coherent with the stated functionality.
Instruction Scope
SKILL.md instructs the agent to check for CHENGXIN_API_KEY, read user query context (date/time/people), and use the specific query scripts — this is expected. It also references reading a local config.json or environment variable and obtaining inbound 'channel'/'surface' context. One notable instruction: a user-facing shortcut claims the assistant can 'automatically configure' the API key for the skill; that requires platform capabilities to write environment/config and is convenient but could be misused if the agent has broad permissions. Verify platform safeguards before allowing auto-configuration.
Install Mechanism
No install spec was provided (instruction-only install), which limits install-time risk. The package contains many node scripts but does not declare any external downloads or installers. The skill requires an existing node binary, which is reasonable for bundled JS scripts.
Credentials
Only one credential is declared (CHENGXIN_API_KEY), which is proportionate for an API-based travel service. No unrelated secrets or config paths are requested. Ensure you only provide the official API key and not other secrets.
Persistence & Privilege
always:false and normal autonomous invocation are used. The skill does not request persistent/always-on privileges or access to other skills' configs. The only persistence-related capability to watch is the 'assistant will configure the API key' convenience mentioned in SKILL.md — confirm what platform action this triggers and whether it stores secrets securely.
Assessment
This skill looks coherent for a travel search assistant: it expects node and a single API key (CHENGXIN_API_KEY) and the scripts are focused on flights, trains, hotels, buses and scenery. Before installing, do the following checks: 1) Inspect scripts/lib/api-client.js to confirm the remote API endpoint is an official 同程/ly.com domain (no unexpected third‑party or personal URLs) and that requests include only the CHENGXIN_API_KEY. 2) Verify the skill publisher/provenance (registry owner ID vs. the company named in SKILL.md and the ly.com homepage) — the registry 'Source: unknown' weakens provenance. 3) Confirm your platform's behavior for the 'assistant can auto-configure the API key' shortcut — ensure any stored key is protected and that the agent cannot exfiltrate it. 4) Run the scripts in a controlled environment (or review network traffic) if you want to be extra cautious, since the network behavior could not be fully validated from the truncated files. If those checks look good, the skill is reasonable to use; if you find a non-ly.com endpoint or multiple unrelated env vars in api-client.js, treat the skill as suspicious and do not provide credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk971gy9mawcqr2r6t7ej2fgs1184rx7q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode
Primary envCHENGXIN_API_KEY
Environment variables
CHENGXIN_API_KEYrequired— 同程程心 API Key