ClawHub

trip-packer

v1.0.0

帮助用户将旅行行程数据打包成独立的 HTML 地图网页。 引导用户完成行程规划、生成符合 Schema 的 JSON、调用 trip-packer CLI 构建产物,并在构建完成后将 HTML 结果呈现给用户。

1· 82·0 current·0 all-time
by@ucasytoo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (build a single-file HTML map from itinerary JSON) lines up with the files and instructions. Requesting the `node` binary is appropriate because the runtime directions call `npx trip-packer ...`. Minor mismatch: SKILL.md assumes `npx` is available (bundled with npm), so requiring only `node` may be insufficient on some systems.
Instruction Scope
Instructions stay within the trip-packer domain (collect itinerary, produce JSON conforming to schema, run `npx trip-packer validate/build`, write outputs to skills/trip-packer/data/). Important side-effects: (1) invoking `npx trip-packer` will download and execute an npm package at runtime; (2) the generated HTML references external map tile CDNs (Amap/CARTO) so viewing the file will cause the browser to contact third-party endpoints and may expose itinerary locations to those providers. These behaviors are coherent with the skill's purpose but have privacy/supply-chain implications that the SKILL.md does not explicitly warn about.
Install Mechanism
There is no install spec (instruction-only). Runtime use of `npx` is the effective install/execution mechanism: npx will fetch the `trip-packer` package from the npm registry and run it. This is expected for a CLI-based skill but is a moderate supply-chain risk because arbitrary code from the npm registry could execute when the agent runs the CLI.
Credentials
The skill requests no environment variables, credentials, or config paths. This is proportionate to the stated purpose.
Persistence & Privilege
always:false (no forced always-on presence). The skill does not request elevated or cross-skill config changes. Agent autonomous invocation is allowed (platform default) and not, by itself, a red flag here.
Assessment
This skill appears to do what it says, but note two operational risks before installing/using it: (1) the runtime commands use `npx trip-packer ...`, which will download and execute an npm package from the network — verify the origin/trustworthiness of that npm package (or preinstall a vetted version) to avoid supply-chain risks; (2) the generated HTML will load map tiles from third-party CDNs (Amap for CN or CARTO for other countries), which can reveal location data to those providers when the file is opened in a browser. Also ensure your environment has npm/npx available (SKILL.md assumes it) and, if you need stricter privacy, run the build in a sandbox or request the user to supply a locally installed `trip-packer` binary/package.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dqwrj3pv5abp9hnz7pw3ymh84h5s8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗺️ Clawdis
OSLinux · macOS · Windows
Binsnode

Comments