Flyai Super Train / 火车票智能中转
v1.0.4火车票智能中转方案推荐助手。查火车票/高铁票/动车票/12306余票,智能拼接中转换乘方案,学习用户偏好(坐席策略、时间偏好、中转约束)。火车票查询/余票/车次/预订/中转换乘/坐席偏好。
⭐ 2· 158·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description describe train ticket search, transfer stitching and preference learning; the SKILL.md only requires the flyai CLI and local preference/history files and optionally an API key from flyai.open.fliggy.com — these are appropriate for the stated functionality.
Instruction Scope
Runtime instructions are detailed and scoped to calling the external flyai CLI, reading/writing assets/preferences.json and assets/history.json, and validating user inputs before building CLI arguments. The skill explicitly forbids reading/writing other filesystem paths and includes shell-injection protections. Note: it will persist user query/purchase history in assets/history.json (potentially sensitive).
Install Mechanism
This is an instruction-only skill with no install spec. It expects the user to have installed @fly-ai/flyai-cli via npm -g. That dependency is reasonable for the described purpose, but installing an external global npm package carries independent trust/risk decisions that the user should evaluate before installing.
Credentials
The skill requests no environment variables or credentials by default. It mentions an optional FLYAI_API_KEY for improved results (which aligns with the external service). There are no unrelated or excessive credential requests.
Persistence & Privilege
always:false (no forced presence). The only persistent state is the two local asset files inside the skill directory (preferences.json, history.json), which the skill documents and limits itself to. It does not request system-wide configuration changes or other skills' credentials.
Assessment
This skill appears to do what it claims: it calls the external flyai CLI to search trains and keeps local preference/history JSON files. Before using: (1) verify you trust and review the @fly-ai/flyai-cli npm package before installing it globally; (2) be aware history.json will record searches/purchases and may include personal travel data — clear or secure it if needed; (3) the skill may call external APIs via the CLI (optionally using a FLYAI_API_KEY) so only set that key if you trust the service; (4) the SKILL.md includes explicit input sanitization to reduce shell-injection risks, but installing and running an external CLI is the main trust boundary — review that tool's security/privacy policy.Like a lobster shell, security has layers — review code before you run it.
latestvk972sw9m5f9v9zqr7pq6fqvkgh84f86t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.