ClawHub

amidyfortest

v1.0.0

Query flight, train, and hotel booking information via a backend AI assistant. Activate this skill when the user asks about flights (机票/航班/飞机), trains (火车/高铁...

0· 254·0 current·0 all-time
by@xuanhua
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and scripts implement a trip-assistant that posts user queries to a backend /trip/chat/stream endpoint — this aligns with the stated travel/booking purpose. However the package metadata name ('amidyfortest') and the SKILL.md name ('trip-assistant') do not match, and the skill metadata declares no required environment variables while both SKILL.md and the script rely on BOOKING_API_* environment variables and CLI flags.
Instruction Scope
Instructions stay within the travel-query scope (run the provided script with the user's full query and return the backend response). They explicitly ask the agent/user to send the full original message to the backend; that means any sensitive content in user messages will be transmitted. The docs also instruct how to run a FastAPI server (uvicorn booking_assitant.fastapi_serve:app), which is operational guidance but not intrinsically out-of-scope.
Install Mechanism
No install spec is present and this is an instruction-only skill with a small Python script; nothing is downloaded or written during install.
!
Credentials
The script and SKILL.md use environment variables BOOKING_API_USER_ID, BOOKING_API_ENV, and BOOKING_API_BASE_URL (with defaults embedded), but the skill registry metadata lists no required env vars or primary credential. The presence of a hard-coded default user ID (a Mongo-like ID) and a default base URL pointing to host.docker.internal:8763 are noteworthy — they may cause accidental requests to local services or leak an identifier. The skill will transmit the user's full query to the backend, so environment/credential omissions and defaults make it unclear what credentials or endpoints will actually be used.
Persistence & Privilege
The skill does not request persistent privileges (always is false) and contains no code that modifies other skills or system-wide configs. It only communicates with an external backend when invoked.
What to consider before installing
This skill appears to be a simple client that sends the user's full query to a backend booking service. Before installing or using it: 1) verify which skill you are installing (registry metadata name 'amidyfortest' vs SKILL.md 'trip-assistant'); 2) confirm and set BOOKING_API_BASE_URL to a trusted endpoint — the default points at host.docker.internal:8763 (local service) and could be wrong or unintended; 3) review whether you want the user's entire message (including any personal or payment info) to be sent to that backend; 4) consider replacing the hard-coded default user ID or supplying your own via BOOKING_API_USER_ID; 5) test the script against a staging endpoint first and inspect the backend (booking_assistant.fastapi_serve) to ensure it behaves as expected. These inconsistencies look like sloppy configuration rather than overtly malicious behavior, but they increase risk and should be resolved before trusting the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk971xxa9fa4rvz8sh55pdhm3c582agsp
254downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@xuanhua
latest
Download

Trip Assistant Skill

A conversational AI assistant for booking and querying flights, trains, and hotels. The assistant communicates in natural language and handles complex travel queries including date parsing, multi-city trips, and comparisons.

When to Use

Activate this skill when the user:

  • Asks about flights: 机票, 航班, 飞机, 坐飞机, 飞到, 航空
  • Asks about trains: 火车, 高铁, 动车, 列车, 火车票, 高铁票
  • Asks about hotels: 酒店, 住宿, 宾馆, 旅馆, 住哪里
  • Asks for travel planning: 出行规划, 怎么去, 旅行安排, 最快怎么到

How to Use

Run the query script, passing the user's complete natural language query:

python SKILL_DIR/scripts/query.py \
  --query "<user query>" \
  --user-id "${BOOKING_API_USER_ID:-624e5b8b3f4a2f4ec566e3d3}" \
  --env "${BOOKING_API_ENV:-prod}" \
  --base-url "${BOOKING_API_BASE_URL:-http://host.docker.internal:8763}"

Key notes:

  • Replace SKILL_DIR with the absolute path to this skill's directory
  • The --query value should be the user's full original message (do not rewrite or simplify)
  • The script outputs the assistant's reply to stdout; pass it back to the user verbatim
  • If the script returns a connection error, inform the user the service is unavailable and ask them to check that the FastAPI server is running (uvicorn booking_assitant.fastapi_serve:app --host 0.0.0.0 --port 8763)

Configuration

ParameterCLI FlagEnvironment VariableDefault
User ID--user-idBOOKING_API_USER_ID624e5b8b3f4a2f4ec566e3d3
Environment--envBOOKING_API_ENVprod
API Base URL--base-urlBOOKING_API_BASE_URLhttp://host.docker.internal:8763

Environments:

  • prod — Production data
  • fat — Test/staging data

Examples

Query flight

User: "帮我查一下明天北京到上海的机票"

python ~/.claude/skills/trip-assistant/scripts/query.py \
  --query "帮我查一下明天北京到上海的机票" \
  --user-id "user123" \
  --env prod

Query train

User: "3月10日从上海去杭州有哪些高铁?"

python ~/.claude/skills/trip-assistant/scripts/query.py \
  --query "3月10日从上海去杭州有哪些高铁?" \
  --user-id "user123" \
  --env prod

Query hotel

User: "查一下北京王府井附近明天的酒店"

python ~/.claude/skills/trip-assistant/scripts/query.py \
  --query "查一下北京王府井附近明天的酒店" \
  --user-id "user123" \
  --env prod

Error Handling

Exit CodeMeaningAction
0SuccessDisplay output to user
1 (connection error)FastAPI server not reachableAsk user to start the server
1 (HTTP error)API returned errorDisplay the error message
1 (timeout)Request timed outSuggest retrying

Comments

Loading comments...