ClawHub

酒店预订助手

v1.0.0

分贝通酒店预定助手,实时查询搜索酒店、展示酒店列表、查询酒店房型、展示房型产品和报价、预定酒店、查看订单、取消订单、查看酒店基础信息和酒店评论信息。

0· 115·0 current·0 all-time
byfenbeitong-trip@gaogao605
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the included code and SKILL.md: the package provides search, price/query, detail, comments, create/cancel/query order functionality against the fenbeitong endpoint. Required binary (python3) is reasonable for this Python skill.
Instruction Scope
Runtime instructions are focused on the hotel's API and require using scripts/fb_hotel_api.py. They mandate saving/reading an access token at ~/.fbt-auth.json (expected). The SKILL.md explicitly forbids fabricating data and instructs to call only the API wrapper functions — this keeps scope tight. Note: SKILL.md / API spec indicate payment redirect URLs that may include the access token as a query parameter (potential token leakage via referer/logs).
Install Mechanism
No install spec is provided (instruction-only), but the skill includes Python code files and a requirements.txt. That is coherent but means dependencies (requests, pyyaml, python-dotenv) may not be automatically installed by the platform; runtime will require python and those libraries to be present. No downloads from unknown URLs or extract/install steps are present.
Credentials
The skill requests no environment variables and does not ask for unrelated credentials. It persists an access token to ~/.fbt-auth.json — expected for this use case. Two points to review: 1) there is a hard-coded DEFAULT_ACCESS_TOKEN (test token) in the code, which means the client will fall back to this token if no saved token is present; 2) documentation shows a payment redirect URL that can include the access token in the query string, which can expose tokens in logs/referrers if used as-is.
Persistence & Privilege
The skill writes only to its own auth file (~/.fbt-auth.json) for token persistence and does not request always:true or system-wide config changes. It does not modify other skills' configs or claim elevated privileges.
Assessment
This skill is coherent with its stated hotel-booking purpose, but take these precautions before installing: (1) review and, if desired, remove or replace the hard-coded DEFAULT_ACCESS_TOKEN in scripts/fb_hotel_api.py so the skill cannot silently use a fallback token; (2) be aware the skill saves your access token to ~/.fbt-auth.json — protect that file (it grants API access); (3) note the payment redirect URL format may embed the token in the query string (token leakage risk via referer or logs), so confirm how payment links are used or sanitize tokens before building URLs; (4) ensure the runtime environment has the dependencies in requirements.txt installed (requests, pyyaml, python-dotenv) since there is no automated install step; (5) if you need higher assurance, inspect network calls in a controlled environment (or review the server-side API behavior) to confirm no unexpected endpoints are contacted. If you want, I can show exact lines that reference DEFAULT_ACCESS_TOKEN and the payment URL so you can change them.

Like a lobster shell, security has layers — review code before you run it.

latestvk970sktvpbb1avkcxfw3zfvhr583mch4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏨 Clawdis
Binspython3

Comments