ClawHub

TripAI

v1.0.2

官方携程问道旅行技能。尤其擅长处理复杂、口语化的中文旅行查询,能一句话搞定酒店、机票、火车票、景点门票、一日游及演出展览的混合需求。

0· 76·0 current·0 all-time
by@trips-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Ctrip travel assistant) match requested items: curl/jq for HTTP+JSON and a single TRIPAI_API_KEY to call the Ctrip wendao API. No unrelated credentials, binaries, or paths are requested.
Instruction Scope
SKILL.md tells the agent to POST JSON {token, query} to https://wendao-skill-prod.ctrip.com/skill/query using curl/jq — this is appropriate for the stated function. One minor privacy note: the doc explicitly allows supplying the API key directly in conversation; that increases exposure risk (chat history/logs may retain the key). Prefer the environment-variable option.
Install Mechanism
No install spec or downloaded code — instruction-only skill. Low risk: nothing is written to disk or fetched at install time.
Credentials
Only a single required env var (TRIPAI_API_KEY) is declared, which is proportionate and expected for an external API call. No other secrets or unrelated credentials are requested.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request elevated or permanent platform privileges and does not attempt to modify other skills or system config.
Assessment
This skill appears to be an instruction-only wrapper around Ctrip's wendao API and is internally consistent. Before installing: (1) Prefer setting TRIPAI_API_KEY as an environment variable rather than pasting it into chat to avoid accidental exposure in logs; (2) Verify the API key you obtain is from the official Ctrip/OpenClaw page listed in the SKILL.md; (3) Understand that any user query you send (including personal travel details) will be transmitted to the Ctrip endpoint; (4) If the skill ever asks for additional credentials, file paths, or to download/run code from arbitrary URLs, treat that as suspicious and re-evaluate. If you want a lower-risk setup, use a key with limited scope and rotate it if it is exposed.

Like a lobster shell, security has layers — review code before you run it.

latestvk979h6z54sbbh4yk2tmcacfp5h84j2a4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✈️ Clawdis
Binscurl, jq
EnvTRIPAI_API_KEY

Comments