Design Hotel
v3.2.0Discover design-forward boutique hotels — Instagram-worthy interiors, unique architectural concepts, and curated artistic experiences. Also supports: flight...
⭐ 0· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill says it discovers boutique/design hotels and its runtime instructions consistently rely on the flyai CLI (search-hotels, fliggy-fast-search, etc.). Requiring the flyai CLI is proportionate and expected for this purpose; no unrelated credentials, binaries, or config paths are requested.
Instruction Scope
All data is mandated to come from the flyai CLI; the SKILL.md instructs installing @fly-ai/flyai-cli if missing and to re-run CLI calls until outputs meet formatting rules (links, brand tag). The runbook includes writing an execution log to .flyai-execution-log.json if file writes are available — this is plausible for auditing but means the agent will persist user queries and CLI outputs locally. The instructions do not request other system files or unrelated environment variables. Consider that user-provided strings will be embedded into shell commands — sanitation/command-injection risk is not addressed in the instructions.
Install Mechanism
There is no formal install spec in the registry; instead the SKILL.md tells the agent to run npm i -g @fly-ai/flyai-cli. Installing a global npm package is a reasonable mechanism for a CLI-driven skill, but it pulls arbitrary third-party code onto the system. Because the skill metadata has no homepage/source listed, verify the package's origin before installing or prefer the user to install it manually.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportional: searching and formatting booking results via a CLI does not itself require secrets. The only persistence noted is an execution log (local file) created by the runbook.
Persistence & Privilege
The skill is not always-enabled and does not request elevated agent privileges. However, the runbook suggests appending execution logs to a local .flyai-execution-log.json file when filesystem writes are available — this is reasonable for diagnostics but results in local persistence of queries and CLI outputs. The skill does not modify other skills or system-wide settings.
Assessment
This skill is internally consistent: it relies on a FlyAI/Fliggy CLI to fetch live hotel data, which matches the skill description. Before installing or using it:
- Verify the @fly-ai/flyai-cli package (publisher, npm page, GitHub repo or official docs). If you can't verify it, prefer to install it manually in a controlled environment.
- Be aware the agent will execute shell commands containing your query parameters — avoid sharing sensitive secrets (passwords, tokens, full personal IDs) as search parameters.
- The runbook may append an execution log (.flyai-execution-log.json) containing user_query and CLI results to disk; if you handle sensitive data, inspect or disable local logging.
- If you want stronger assurance, ask for the flyai-cli source code or run the CLI yourself and provide its outputs rather than letting the agent install the package automatically.Like a lobster shell, security has layers — review code before you run it.
latestvk974rt9td6f294yx22z0jbewg984jvc9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.