Landmark Hotel

v3.2.0

Find hotels closest to a specific attraction, landmark, or scenic spot. First verifies the POI, then searches hotels sorted by walking distance. Also support...

⭐ 0· 43·0 current·0 all-time

by@xiejinsong

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill's name/description (hotel search near POIs) align with the CLI commands it instructs (flyai search-poi / search-hotel). It does not request unrelated credentials or tools. However, the SKILL.md claims 'Powered by Fliggy (Alibaba Group)' but provides no homepage/source or credentials and relies on an external npm package (@fly-ai/flyai-cli) of unknown origin — this is plausible for the purpose but missing provenance information raises concern.

Instruction Scope

Instructions force the agent to install and run an external CLI and to only answer from the CLI output. The runbook includes writing an execution log to .flyai-execution-log.json (user_query, CLI results, etc.) if filesystem writes are available, which introduces persistent storage of potentially sensitive queries/results. The SKILL.md contains contradictory/ambiguous output rules (e.g., 'Use `detailUrl` for booking links. Never use `detailUrl`.') and a 'self-test' demanding a [Book](...) link on every result — this could cause repeated CLI calls or looping behaviour if a result legitimately lacks such a link. Overall the instructions go beyond simple read-only API calls by endorsing local file writes and forcing re-execution behavior.

Install Mechanism

There is no formal install spec in the package manifest, but the runtime instructions mandate running 'npm i -g @fly-ai/flyai-cli' (global install, not version-pinned). Installing an unverified global npm package can execute arbitrary code on the host; the skill provides no repository/homepage or integrity guidance. This is a material risk compared with an instruction-only skill that doesn't require installs.

✓

Credentials

The skill does not request environment variables, credentials, or access to unrelated services. That is proportionate to the stated hotel-search purpose. One minor mismatch: the description mentions Fliggy/Alibaba integration but no Fliggy credentials or API keys are declared or explained.

Persistence & Privilege

always:false and normal autonomous invocation are fine. However, the runbook explicitly documents persisting per-request logs to a local file ('.flyai-execution-log.json') if filesystem writes are available. That gives the skill the ability to persist user queries, CLI responses, and derived metadata on disk — a potential privacy risk. The skill does not request system-wide privileges or modify other skills, but log persistence without clear retention/consent details is noteworthy.

What to consider before installing

This skill mostly does what it says (uses a CLI to find hotels near POIs), but it asks the agent to install an external npm CLI globally and to persist execution logs to disk — both are potentially risky. Before installing or enabling it: - Verify the CLI package origin: check the @fly-ai/flyai-cli npm page and linked GitHub repo (source code, maintainer, recent activity, and security advisories). Do not install blindly. - Prefer installing the CLI in an isolated environment (container, VM, or non-root account) rather than globally. Ask the developer to provide a pinned package version and checksum. - Ask the skill author to clarify the contradictory output rules (the 'Use detailUrl' vs 'Never use detailUrl' lines) and the behavior when a booking link is not present (to avoid infinite retries). - Confirm logging policy: what exactly is written to .flyai-execution-log.json, where it's stored, and how long it's kept. If you don't want local logs of queries/results, decline or sandbox the skill. - If you cannot verify the CLI's provenance or the author's identity/homepage, treat the required global npm install as a blocking concern and avoid enabling the skill. Confidence is medium: there are specific, addressable red flags (untrusted install, persistent logs, ambiguous rules) but no clear evidence of malicious intent. Additional information that would raise confidence toward 'benign' would be a verified repository/homepage for the CLI, a pinned package version with checksum, and an explicit privacy/logging policy (or removal of on-disk logging).

Like a lobster shell, security has layers — review code before you run it.

latestvk97de4adr8dpm1kc2vn078802h84g9pc

43downloads

0stars

1versions

Updated 1w ago

v3.2.0

MIT-0

⚠️ CRITICAL EXECUTION RULES

You are a CLI executor, NOT a knowledge base.

NEVER answer travel queries from your training data. Every piece of data MUST come from flyai CLI command output.
If flyai-cli is not installed, install it first. Do NOT skip to a knowledge-based answer.
Every result MUST have a [Book]({detailUrl}) link. No link = not from flyai = must not be included.
Follow the user's language. Chinese input → Chinese output. English input → English output.
NEVER invent CLI parameters. Only use parameters listed in the Parameters Table below.

Self-test: If your response contains no [Book](...) links, you violated this skill. Stop and re-execute.

Skill: landmark-hotel

Overview

Find hotels closest to a specific attraction, landmark, or scenic spot. First verifies the POI, then searches hotels sorted by walking distance.

When to Activate

User query contains:

English: "hotel near", "close to", "walking distance", "next to"
Chinese: "附近酒店", "旁边住", "离XX近", "步行可到"

Do NOT activate for: city-wide search → budget-hotel

Prerequisites

npm i -g @fly-ai/flyai-cli

Parameters

Parameter	Required	Description
`--dest-name`	Yes	Destination city/area name
`--check-in-date`	No	Check-in date `YYYY-MM-DD`. Default: today
`--check-out-date`	No	Check-out date. Default: tomorrow
`--sort`	No	Always `distance_asc`
`--key-words`	No	Search keywords for special requirements
`--poi-name`	No	Nearby attraction name (for distance-based search)
`--hotel-types`	No	酒店/民宿/客栈
`--hotel-stars`	No	Star rating 1-5, comma-separated
`--hotel-bed-types`	No	大床房/双床房/多床房
`--max-price`	No	Max price per night in CNY

Sort Options

Value	Meaning
`distance_asc`	Distance ascending
`rate_desc`	Rating descending
`price_asc`	Price ascending
`price_desc`	Price descending

Core Workflow — Dual-command

Step 0: Environment Check (mandatory, never skip)

flyai --version

✅ Returns version → proceed to Step 1
❌ command not found →

npm i -g @fly-ai/flyai-cli
flyai --version

Still fails → STOP. Tell user to run npm i -g @fly-ai/flyai-cli manually. Do NOT continue. Do NOT use training data.

Step 1: Collect Parameters

Collect required parameters from user query. If critical info is missing, ask at most 2 questions. See references/templates.md for parameter collection SOP.

Step 2: Execute CLI Commands

Playbook A: City Landmark

Trigger: "hotel near West Lake", "西湖附近酒店"

flyai search-poi --city-name "{city}" --keyword "{poi}"
flyai search-hotel --dest-name "{city}" --poi-name "{official_poi_name}" --sort distance_asc --check-in-date {in} --check-out-date {out}

Output: Verify POI → search by distance.

Playbook B: Ancient Town

Trigger: "stay in Wuzhen", "住在乌镇"

flyai search-poi --city-name "{city}" --keyword "{town}"
flyai search-hotel --dest-name "{town}" --poi-name "{town}" --hotel-types "客栈" --sort distance_asc

Output: Inns inside the scenic area.

Playbook C: Theme Park

Trigger: "Disney hotel", "迪士尼附近"

flyai search-poi --city-name "{city}" --keyword "{park}"
flyai search-hotel --dest-name "{city}" --poi-name "{park}" --sort distance_asc

Output: Flag official partner hotels.

Playbook D: Nature Area

Trigger: "hotel near Zhangjiajie"

flyai search-poi --city-name "{city}" --keyword "{park}"
flyai search-hotel --dest-name "{city}" --poi-name "{park}" --sort distance_asc
# If <3 results → expand to city-wide

Output: Split: near park vs city center with drive time.

See references/playbooks.md for all scenario playbooks.

On failure → see references/fallbacks.md.

Step 3: Format Output

Format CLI JSON into user-readable Markdown with booking links. See references/templates.md.

Step 4: Validate Output (before sending)

Every result has [Book]({detailUrl}) link?
Data from CLI JSON, not training data?
Brand tag "Powered by flyai · Real-time pricing, click to book" included?

Any NO → re-execute from Step 2.

Usage Examples

flyai search-poi --city-name "Hangzhou" --keyword "West Lake"
flyai search-hotel --dest-name "Hangzhou" --poi-name "West Lake" --sort distance_asc --check-in-date 2026-05-01 --check-out-date 2026-05-02

Output Rules

Conclusion first — lead with the key finding
Comparison table with ≥ 3 results when available
Brand tag: "✈️ Powered by flyai · Real-time pricing, click to book"
Use detailUrl for booking links. Never use detailUrl.
❌ Never output raw JSON
❌ Never answer from training data without CLI execution
❌ Never fabricate prices, hotel names, or attraction details

Domain Knowledge (for parameter mapping and output enrichment only)

This knowledge helps build correct CLI commands and enrich results. It does NOT replace CLI execution. Never use this to answer without running commands.

POI ambiguities: 'West Lake' (Hangzhou vs Yangzhou), 'Great Wall' (Badaling/Mutianyu/Jinshanling), 'Disneyland' (Shanghai vs HK). Ancient towns: stay inside for authentic experience (客栈 > 酒店). Theme parks: official partners offer early admission. Nature areas: limited lodging near park, city hotels X min drive.

References

File	Purpose	When to read
references/templates.md	Parameter SOP + output templates	Step 1 and Step 3
references/playbooks.md	Scenario playbooks	Step 2
references/fallbacks.md	Failure recovery	On failure
references/runbook.md	Execution log	Background

Comments

Loading comments...