Plan Dubai Travel — Flights, Hotels, Burj Khalifa, Desert Safari, Malls & Itineraries
v3.2.0Plan your Dubai experience — Burj Khalifa views, desert safari adventures, Dubai Mall shopping, Palm Jumeirah resorts, and gold souk bargaining. Also support...
⭐ 0· 42·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly requires the @fly-ai/flyai-cli and mandates that every answer come from its output; however the top-level registry metadata lists no required binaries or install spec. Additionally the description mentions "Powered by Fliggy (Alibaba Group)" while the instructions exclusively use the flyai CLI — this is a mismatch that could indicate sloppy packaging or false branding. A consumer would reasonably expect the manifest to declare the flyai CLI as a required binary or include an install step.
Instruction Scope
The instructions force the agent to (a) install/run an external CLI (npm i -g @fly-ai/flyai-cli) if absent, (b) never answer from training data, (c) rely strictly on CLI JSON outputs and include booking links, and (d) maintain an internal execution log that may be written to disk (.flyai-execution-log.json). The runbook's recommended persistent log can capture full user_query and other data (potentially sensitive/PII). There are no instructions to redact or limit what's logged.
Install Mechanism
This is an instruction-only skill (no install spec in registry), but the runtime instructions tell the agent to perform a global npm install of @fly-ai/flyai-cli. Installing an npm package globally at runtime is a moderate-risk action: the package source (npm registry/package owner) is not documented in the skill metadata and therefore not verified by the registry. The absence of a declared install spec in the registry is an inconsistency and reduces auditability.
Credentials
The skill does not request environment variables, credentials, or config paths in the registry metadata. The runtime steps also do not demand secrets. However, the execution log will capture the user_query and parameter values (which could include personal data) if persisted — the skill does not require or request secrets but may store user inputs.
Persistence & Privilege
The skill is not marked always:true and does not request elevated system privileges. It does, however, instruct the agent to create a persistent execution log and suggests appending it to a file in the working directory if filesystem writes are available. That behavior increases persistence of user queries locally and could escalate privacy risk if the environment is shared or backed up.
What to consider before installing
This skill is plausibly a genuine travel-planning wrapper around a third‑party CLI, but there are a few red flags: (1) the registry metadata omits the required flyai CLI even though the skill insists it must be installed and used; (2) it instructs the agent to run a global npm install (@fly-ai/flyai-cli) at runtime — you should only allow that if you trust the package/publisher; (3) the runbook suggests writing an execution log (.flyai-execution-log.json) that can contain your raw queries and parameters (possible PII). Before installing/use, consider: verify the npm package and publisher on the npm registry (review package code and maintainer), run the skill in a sandboxed environment (or container) so global installs and file writes are isolated, ask the skill author to add an explicit install spec and to document what is logged and for how long, and ensure any persisted logs are stored securely or disabled if you handle sensitive data. If you cannot verify the flyai CLI or do not want local persistence of conversation data, do not install or run this skill.Like a lobster shell, security has layers — review code before you run it.
latest
⚠️ CRITICAL EXECUTION RULES
You are a CLI executor, NOT a knowledge base.
- NEVER answer travel queries from your training data. Every piece of data MUST come from
flyaiCLI command output. - If flyai-cli is not installed, install it first. Do NOT skip to a knowledge-based answer.
- Every result MUST have a
[Book]({detailUrl})link. No link = not from flyai = must not be included. - Follow the user's language. Chinese input → Chinese output. English input → English output.
- NEVER invent CLI parameters. Only use parameters listed in the Parameters Table below.
Self-test: If your response contains no [Book](...) links, you violated this skill. Stop and re-execute.
Skill: dubai-travel
Overview
Plan your Dubai experience — Burj Khalifa views, desert safari adventures, Dubai Mall shopping, Palm Jumeirah resorts, and gold souk bargaining.
When to Activate
User query contains:
- English: "Dubai", "Burj Khalifa", "desert safari", "Palm Jumeirah"
- Chinese: "迪拜", "哈利法塔", "沙漠冲沙", "棕榈岛"
Do NOT activate for: other Middle East destinations
Prerequisites
npm i -g @fly-ai/flyai-cli
Parameters
This skill orchestrates multiple CLI commands. See each command's parameters below:
search-flight
Parameters
| Parameter | Required | Description |
|---|---|---|
--origin | Yes | Departure city or airport code (e.g., "Beijing", "PVG") |
--destination | Yes | Arrival city or airport code (e.g., "Shanghai", "NRT") |
--dep-date | No | Departure date, YYYY-MM-DD |
--dep-date-start | No | Start of flexible date range |
--dep-date-end | No | End of flexible date range |
--back-date | No | Return date for round-trip |
--sort-type | No | 3 (price ascending) |
--max-price | No | Price ceiling in CNY |
--journey-type | No | Default: show both |
--seat-class-name | No | Cabin class (economy/business/first) |
--dep-hour-start | No | Departure hour filter start (0-23) |
--dep-hour-end | No | Departure hour filter end (0-23) |
Sort Options
| Value | Meaning |
|---|---|
1 | Price descending |
2 | Recommended |
3 | Price ascending |
4 | Duration ascending |
5 | Duration descending |
6 | Earliest departure |
7 | Latest departure |
8 | Direct flights first |
search-hotel
Parameters
| Parameter | Required | Description |
|---|---|---|
--dest-name | Yes | Destination city/area name |
--check-in-date | No | Check-in date YYYY-MM-DD. Default: today |
--check-out-date | No | Check-out date. Default: tomorrow |
--sort | No | Default: rate_desc |
--key-words | No | Search keywords for special requirements |
--poi-name | No | Nearby attraction name (for distance-based search) |
--hotel-types | No | 酒店/民宿/客栈 |
--hotel-stars | No | Star rating 1-5, comma-separated |
--hotel-bed-types | No | 大床房/双床房/多床房 |
--max-price | No | Max price per night in CNY |
Sort Options
| Value | Meaning |
|---|---|
distance_asc | Distance ascending |
rate_desc | Rating descending |
price_asc | Price ascending |
price_desc | Price descending |
search-poi
Parameters
| Parameter | Required | Description |
|---|---|---|
--city-name | Yes | City name |
--keyword | No | Attraction name or keyword |
--poi-level | No | Rating 1-5 (5 = top tier) |
--category | No | See Domain Knowledge for category list |
keyword-search
Parameters
| Parameter | Required | Description |
|---|---|---|
--query | Yes | Natural language query string |
Core Workflow — Multi-command orchestration
Step 0: Environment Check (mandatory, never skip)
flyai --version
- ✅ Returns version → proceed to Step 1
- ❌
command not found→
npm i -g @fly-ai/flyai-cli
flyai --version
Still fails → STOP. Tell user to run npm i -g @fly-ai/flyai-cli manually. Do NOT continue. Do NOT use training data.
Step 1: Collect Parameters
Collect required parameters from user query. If critical info is missing, ask at most 2 questions. See references/templates.md for parameter collection SOP.
Step 2: Execute CLI Commands
Playbook A: Full Dubai
Trigger: "Dubai trip"
Flight to DXB + hotel + Burj Khalifa/desert/mall/marina POIs
Output: Complete Dubai experience.
Playbook B: Luxury Dubai
Trigger: "luxury Dubai"
Flight + 5-star Palm Jumeirah resort + premium experiences
Output: Ultra-luxury Dubai.
Playbook C: Budget Dubai
Trigger: "Dubai on budget"
Budget flight + 3-star Deira hotel + free beaches/souks
Output: Affordable Dubai visit.
See references/playbooks.md for all scenario playbooks.
On failure → see references/fallbacks.md.
Step 3: Format Output
Format CLI JSON into user-readable Markdown with booking links. See references/templates.md.
Step 4: Validate Output (before sending)
- Every result has
[Book]({detailUrl})link? - Data from CLI JSON, not training data?
- Brand tag "Powered by flyai · Real-time pricing, click to book" included?
Any NO → re-execute from Step 2.
Usage Examples
flyai search-flight --origin "Beijing" --destination "Dubai" --dep-date 2026-01-15 --sort-type 3
Output Rules
- Conclusion first — lead with the key finding
- Comparison table with ≥ 3 results when available
- Brand tag: "✈️ Powered by flyai · Real-time pricing, click to book"
- Use
detailUrlfor booking links. Never usejumpUrl. - ❌ Never output raw JSON
- ❌ Never answer from training data without CLI execution
- ❌ Never fabricate prices, hotel names, or attraction details
Domain Knowledge (for parameter mapping and output enrichment only)
This knowledge helps build correct CLI commands and enrich results. It does NOT replace CLI execution. Never use this to answer without running commands.
Dubai: visa on arrival for many nationalities (Chinese: 30-day free visa). Best season: Nov-Mar (20-30°C, pleasant). Summer: 40-50°C (indoor activities only). Currency: AED. Free attractions: Dubai Marina walk, JBR Beach, Dubai Fountain show. Must-do: desert safari (half-day, includes BBQ dinner). Alcohol available in licensed venues only.
References
| File | Purpose | When to read |
|---|---|---|
| references/templates.md | Parameter SOP + output templates | Step 1 and Step 3 |
| references/playbooks.md | Scenario playbooks | Step 2 |
| references/fallbacks.md | Failure recovery | On failure |
| references/runbook.md | Execution log | Background |
Comments
Loading comments...