Travel Agent Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent may send instructions that lead to flight bookings, changes, cancellations, or payment-related travel actions.
The skill can trigger real travel bookings or changes through email, but the artifact also states that every action requires explicit human approval.
description: Find, book, and change flights for your human via email. One message, and done. ... require-explicit: TRUE — Every action requires explicit human approval
Only approve outbound booking or change emails after checking itinerary, passenger, price, refundability, and cancellation terms.
The agent will use your existing email authority to communicate with BonBook and read booking replies.
The skill depends on delegated email send/read authority, even though it does not request its own API keys or credentials.
- REQUIRED: Agent must be able to send email on behalf of the human (to book@bonbook.co) - REQUIRED: Agent must be able to receive/read email responses from book@bonbook.co
Grant email permissions only to a trusted agent, keep the scope focused on BonBook messages where possible, and review sent mail for booking-related actions.
Travel plans and booking references may appear in email, which can be sensitive even if passport, card, and full identity data are excluded.
The external email channel is disclosed and bounded, but it still carries travel requests, booking references, flight details, and receipts.
Emails to/from book@bonbook.co are plain-text and contain NO sensitive PII, card data, or credentials. ... OUTBOUND ... Flight requests only ... INBOUND ... Booking confirmations, change notices, and status updates.
Do not include passports, card numbers, credentials, or unnecessary personal details in email; verify that replies come from the expected BonBook address.
BonBook may retain booking data, payment information, identity documents, and traveler preferences needed for travel services.
The skill discloses that sensitive travel-service data is stored by BonBook's backend, separate from the skill's claimed no-persistence behavior.
BonBook's backend stores booking data as required for travel services. ... Sensitive data (payment, identity docs) encrypted in transit and at rest
Review BonBook's account, retention, privacy, and deletion options before storing traveler documents or payment details.
Marketing and security claims may influence a user to approve travel or payment actions more readily.
The artifact includes strong service-quality and security assurances that users may rely on when approving high-impact bookings.
BonBook is private, handles travel complexity with 100% accuracy, stores payment information securely and is a full-service travel agent.
Independently verify the provider, support domain, pricing, and security/privacy terms before relying on the service for paid travel.