Universal travel planning skill for OpenClaw agents. Plan itineraries, check weather, discover attractions, and estimate budgets — all through natural conver...
Security Analysis
high confidenceThe skill appears to implement the travel-planning features it describes (geocoding, weather, Wikivoyage guides, local caching) and its requested resources are proportionate to that purpose.
Name/description match the implementation: geocoding (Nominatim), weather (Open-Meteo primary, Visual Crossing optional), and Wikivoyage are used and make sense for itinerary and budget estimation. Small inconsistency: registry metadata labels the package as 'instruction-only', yet the bundle includes full TypeScript sources and a package.json with dependencies (axios, better-sqlite3). The presence of better-sqlite3 is consistent with the stated local SQLite cache, so this is likely benign but worth noting.
SKILL.md and source code limit action to making outbound HTTP requests to public APIs and writing a local SQLite cache. The runtime instructions do not ask the agent to read unrelated system files or exfiltrate data. One privacy note: cache keys include user query/geocode keys (e.g., 'geo:<query>') and the skill writes API responses to a local DB; the author states user itineraries/personal data are not stored, but cached API responses could reflect user queries (location names).
No registry-level install spec was provided (lowest-risk), but SKILL.md instructs users to run 'npm install' or use the OpenClaw CLI. package.json lists axios and better-sqlite3. better-sqlite3 is a native module that builds during npm install (native C++ binding), which increases install complexity and requires a build toolchain on the host. There are no downloads from untrusted URLs and dependencies are from npm.
The skill declares no required environment variables; it documents optional keys (VISUAL_CROSSING_API_KEY, OPENWEATHER_API_KEY, AMADEUS_* for future features) which are appropriate for those optional integrations. No unrelated secrets are requested. The code only reads VISUAL_CROSSING_API_KEY (optional fallback) and TOUR_PLANNER_CACHE_PATH for cache redirection.
The skill writes a persistent local SQLite cache (default: ~/.openclaw/cache/tour-planner.db). This is within its own scope and configurable via TOUR_PLANNER_CACHE_PATH. always:false (not force-included) and normal autonomous invocation is allowed. It does not request elevated OS privileges or modify other skills' configs.
Guidance
This skill appears to be what it claims: a travel planner that calls public APIs and caches responses in a local SQLite DB. Before installing, decide if you’re comfortable with a local cache file (default: ~/.openclaw/cache/tour-planner.db) and ensure your environment can build native npm modules (better-sqlite3). Optional API keys (Visual Crossing, OpenWeather, Amadeus) are not required for core features. If you need maximum privacy, set TOUR_PLANNER_CACHE_PATH to a directory you control or delete the DB periodically. If you want to be cautious, run the package in an isolated environment (container or sandbox) when first testing.
Latest Release
v1.0.2
v1.0.2 — Fix all documentation contradictions flagged by security scanner. SECURITY.md now accurately documents SQLite cache, optional API keys, and clarifies ANALYSIS.md is a roadmap doc (no Playwright/scraping in current release). All env vars are optional — core features remain 100% keyless via Open-Meteo + Wikivoyage + Nominatim. Added package-lock.json for full dependency auditability.
More by @Asif2BD
Published by @Asif2BD on ClawHub
