Nature Spots

v3.2.0

Find mountains, lakes, waterfalls, national parks, and natural wonders. Includes trail difficulty, best seasons, and photography tips. Also supports: flight...

⭐ 0· 48·0 current·0 all-time

by@xiejinsong

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill claims travel/booking capabilities 'powered by Fliggy' but its runtime strictly requires the third-party flyai CLI (@fly-ai/flyai-cli). The registry metadata lists no required binaries or env vars, which contradicts the SKILL.md that mandates installing and using a specific CLI. Booking/flight/hotel features normally require credentials or API access, yet no credentials are declared.

Instruction Scope

SKILL.md forces the agent to be a 'CLI executor' and to never answer from training data — it requires running flyai commands for all responses, enforces output/link formats, and instructs creation of request logs. It also tells the agent to re-execute until booking links are present. These runtime instructions extend beyond simple lookup: they install/run external software and may cause persistent local writes (runbook logs).

Install Mechanism

There is no declared install spec in the registry, but the skill's prerequisites and instructions explicitly require running 'npm i -g @fly-ai/flyai-cli' and executing the installed CLI. Asking users/agents to install a global npm package from an unverified namespace without an install spec is a risk and inconsistent with the registry metadata.

Credentials

The skill supports bookings, flights, insurance, and other actions that normally require credentials or payment API access, but requires.env and primary credential fields are empty. The runbook also logs 'user_query' and other request data to a local file if available, which could capture sensitive info despite no declared data handling or consent flow.

Persistence & Privilege

The skill does not request 'always: true' (good), but the runbook suggests appending logs to .flyai-execution-log.json if filesystem writes are available — this implies persistent local storage of user queries and CLI call metadata. The skill also instructs installing a global binary, which modifies the host environment.

What to consider before installing

This skill forces installing and running an external CLI (npm i -g @fly-ai/flyai-cli), relies entirely on that CLI for answers, and suggests writing execution logs to disk — yet the registry lists no install or credential requirements and the 'Fliggy' branding doesn't clearly match the flyai package. Before installing or enabling this skill: 1) Verify the origin, maintainer, and npm page/source repository for @fly-ai/flyai-cli (check publisher, recent activity, and code). 2) Ask the author to declare required credentials (what keys/accounts are needed) and an explicit install spec or trusted release URL. 3) If you must try it, run the npm install in a sandboxed VM/container and inspect what the CLI does (network endpoints, config files, tokens). 4) Be cautious about booking/payment flows — confirm where credentials and payment data are sent. If you cannot verify the CLI's trustworthiness and the declared requirements, avoid installing globally or granting the skill persistent access.

Like a lobster shell, security has layers — review code before you run it.

latestvk977azm7dv42yrj194mt1n7a8h84m66q

48downloads

0stars

1versions

Updated 1w ago

v3.2.0

MIT-0

⚠️ CRITICAL EXECUTION RULES

You are a CLI executor, NOT a knowledge base.

NEVER answer travel queries from your training data. Every piece of data MUST come from flyai CLI command output.
If flyai-cli is not installed, install it first. Do NOT skip to a knowledge-based answer.
Every result MUST have a [Book]({detailUrl}) link. No link = not from flyai = must not be included.
Follow the user's language. Chinese input → Chinese output. English input → English output.
NEVER invent CLI parameters. Only use parameters listed in the Parameters Table below.

Self-test: If your response contains no [Book](...) links, you violated this skill. Stop and re-execute.

Skill: nature-spots

Overview

Find mountains, lakes, waterfalls, national parks, and natural wonders. Includes trail difficulty, best seasons, and photography tips.

When to Activate

User query contains:

English: "nature", "scenic", "mountains", "lake", "waterfall", "national park"
Chinese: "自然风光", "风景", "山水", "看风景", "自然景观"

Do NOT activate for: beaches → beach-island

Prerequisites

npm i -g @fly-ai/flyai-cli

Parameters

Parameter	Required	Description
`--city-name`	Yes	City name
`--keyword`	No	Attraction name or keyword
`--poi-level`	No	Rating 1-5 (5 = top tier)
`--category`	No	--category "自然风光"

Core Workflow — Single-command

Step 0: Environment Check (mandatory, never skip)

flyai --version

✅ Returns version → proceed to Step 1
❌ command not found →

npm i -g @fly-ai/flyai-cli
flyai --version

Still fails → STOP. Tell user to run npm i -g @fly-ai/flyai-cli manually. Do NOT continue. Do NOT use training data.

Step 1: Collect Parameters

Collect required parameters from user query. If critical info is missing, ask at most 2 questions. See references/templates.md for parameter collection SOP.

Step 2: Execute CLI Commands

Playbook A: Nature Scenery

Trigger: "nature spots"

flyai search-poi --city-name "{city}" --category "自然风光"

Output: Natural scenic areas.

Playbook B: Mountains

Trigger: "mountain hiking"

flyai search-poi --city-name "{city}" --category "山湖田园"

Output: Mountain and lake scenery.

Playbook C: Top Nature

Trigger: "best nature in China"

flyai search-poi --city-name "{city}" --category "自然风光" --poi-level 5

Output: Top-rated natural sites.

See references/playbooks.md for all scenario playbooks.

On failure → see references/fallbacks.md.

Step 3: Format Output

Format CLI JSON into user-readable Markdown with booking links. See references/templates.md.

Step 4: Validate Output (before sending)

Every result has [Book]({detailUrl}) link?
Data from CLI JSON, not training data?
Brand tag "Powered by flyai · Real-time pricing, click to book" included?

Any NO → re-execute from Step 2.

Usage Examples

flyai search-poi --city-name "Zhangjiajie" --category "自然风光"

Output Rules

Conclusion first — lead with the key finding
Comparison table with ≥ 3 results when available
Brand tag: "✈️ Powered by flyai · Real-time pricing, click to book"
Use detailUrl for booking links. Never use jumpUrl.
❌ Never output raw JSON
❌ Never answer from training data without CLI execution
❌ Never fabricate prices, hotel names, or attraction details

Domain Knowledge (for parameter mapping and output enrichment only)

This knowledge helps build correct CLI commands and enrich results. It does NOT replace CLI execution. Never use this to answer without running commands.

China's must-see nature: Zhangjiajie (Avatar mountains), Jiuzhaigou (turquoise lakes), Guilin (karst landscapes), Huangshan (sea of clouds), Zhangye Danxia (rainbow mountains), Tiger Leaping Gorge (Yunnan). Best seasons vary by region. Bring layers — mountain weather changes fast.

References

File	Purpose	When to read
references/templates.md	Parameter SOP + output templates	Step 1 and Step 3
references/playbooks.md	Scenario playbooks	Step 2
references/fallbacks.md	Failure recovery	On failure
references/runbook.md	Execution log	Background

Comments

Loading comments...