Travel Concierge CLI
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is not clearly malicious, but it asks the agent to run and configure an undeclared external CLI whose implementation and source are not provided.
Before installing, verify the actual `travel-concierge` CLI source and path, do not provide a valuable unrestricted API key, and only authorize searches for specific accommodation listings you want checked.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may try to execute a local `travel-concierge` command whose behavior was not reviewed as part of this skill.
This is the primary workflow, but the provided metadata/install data declare no required binary or installer and the package does not include the CLI implementation.
Run the CLI to extract contact information: `travel-concierge find-contact "<url>"`
Install only if you can verify exactly which `travel-concierge` executable will run and trust its source.
A Google API key could be used for Places API requests and may incur quota usage or costs.
The skill can store and use a Google Places API key. This is purpose-aligned, but credential handling is not described in the reviewed artifacts.
travel-concierge config set googlePlacesApiKey "your-key"
Use a restricted, quota-limited API key and confirm how the CLI stores and uses it before configuring it.
The agent may access booking-platform pages and automate a browser to gather contact details.
The skill discloses scraping and browser automation, which fit the contact-finding purpose but can interact with third-party sites in ways users should approve.
The tool works without any API keys using web scraping. Browser automation (via `agent-browser`) may be needed for JavaScript-rendered listing pages
Use it only for listings you choose, avoid logged-in/private pages unless necessary, and consider site terms and privacy expectations.