Travel Concierge CLI
ReviewAudited by ClawScan on May 10, 2026.
Overview
The travel-booking purpose is coherent, but the skill needs review because it relies on undeclared high-impact credentials, external CLI/binaries, a public ngrok tunnel, and autonomous phone calls that can affect real bookings.
Before installing or using this skill, verify the source and code of the `concierge` CLI, use separate limited provider keys with billing caps, avoid sharing ngrok URLs, prefer interactive mode for sensitive calls, and require explicit confirmation before the AI makes bookings, cancellations, or other commitments.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may run an unreviewed `concierge` binary from the local PATH and give it high-value provider credentials.
The docs require external binaries, while the registry declares no required binaries or install spec and the provided files do not include the `concierge` CLI implementation. This leaves the executable provenance outside the reviewed artifact set.
AI calls require local binaries in addition to API keys: - `ffmpeg` ... - `ngrok` ... Verify locally: `ffmpeg -version` ... `ngrok version`
Install the CLI only from a verified source, inspect the implementation before storing credentials, and update the skill metadata to declare the required binaries and credential dependencies.
Compromise or misuse of these keys could incur phone/API charges or allow activity through the user's provider accounts.
These credentials allow account-backed phone calls, transcription, speech synthesis, LLM responses, and tunnel setup. They are expected for the feature, but they are high-impact and not reflected in the registry's declared credential requirements.
Required for AI phone calls ... `twilioAccountSid` ... `twilioAuthToken` ... `deepgramApiKey` ... `elevenLabsApiKey` ... `anthropicApiKey` ... Optional for auto ngrok auth ... `ngrokAuthToken`
Use least-privilege or separate project keys where possible, set billing limits, rotate keys after testing, and ensure the registry metadata clearly discloses all credential requirements.
The AI could make or cancel a reservation, disclose personal details, or spend provider credits during a phone call without another explicit checkpoint.
The skill can interact with real businesses or people, and the examples include booking rooms, making reservations, and canceling appointments. The artifacts do not document approval gates before commitments, cancellations, disclosures, or paid call time.
Make autonomous phone calls with a goal-driven AI agent. The AI handles the conversation until the goal is achieved.
Require explicit user confirmation before dialing and before commitments or cancellations; prefer `--interactive` for sensitive calls and add duration/spend limits.
If the public URL or endpoints are reachable by unintended parties, calls or audio/control channels could be misused, causing privacy exposure or account charges.
The setup exposes the local call server through a public ngrok URL, including call initiation, control, and media-stream endpoints. The artifacts do not document authentication, origin checks, or endpoint separation for that public tunnel.
`ngrok http 3000` ... `POST /call - Initiate calls` ... `WS /control - Command channel` ... `WS /media-stream - Twilio audio stream`
Use authenticated webhooks/control channels, keep initiation/control endpoints localhost-only where possible, enable ngrok access controls, and rotate/close tunnels after each call.
Sensitive local configuration or logs may remain on disk after calls finish.
The skill persistently stores configuration and operational logs. This is disclosed and purpose-aligned, but those files may contain sensitive tokens, URLs, or call metadata.
The CLI stores configuration in: `~/.config/concierge/config.json5` ... server/ngrok logs are written under `~/.config/concierge/call-runs/<run-id>/`
Protect the config directory with appropriate file permissions, avoid committing it to repositories, and delete old call-run logs when no longer needed.