Trip Booking
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill claims to use live Booking.com data and manage reservations, but the included code returns mock hotel data and the booking/cancellation powers lack clear safeguards.
Review this skill carefully before installing. Do not use it for real booking decisions until it uses verified live Booking.com API data instead of mock results, declares its credential requirements, and requires explicit user confirmation before creating or canceling any reservation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users could be shown fabricated hotel availability, prices, or details and make travel decisions based on non-live data.
The implementation is set to return simulated hotel data, which contradicts the skill's stated requirement to use Booking.com API data and not invent hotel information, prices, or reviews.
# TODO: 实现真实的Booking API调用; # result = self._request("bookings.getHotels", params); # 模拟返回数据Do not rely on this skill for booking decisions until mock data is removed or clearly labeled and live Booking.com API results are verified.
An agent could be guided toward making or canceling a reservation without enough user confirmation, potentially causing charges or lost bookings.
The skill advertises actions that can create or cancel hotel reservations, but the instructions do not require explicit user approval or review of costs, guest details, and cancellation terms before those actions.
| create_booking_reservation | 创建预订 | hotel_id, room_id, guest_info | ... | cancel_booking_reservation | 取消预订 | reservation_id |
Require a final user confirmation step before any booking or cancellation, showing hotel, room, dates, guest details, total price, fees, and cancellation policy.
Users may not realize they need to provide a Booking.com API credential or may be tempted to put a secret directly into the script.
A Booking.com API credential is expected for this integration, but registry metadata declares no primary credential or required environment variable, and the code suggests static credential configuration.
BOOKING_AFFILIATE_ID = "your_affiliate_id"; BOOKING_API_KEY = "your_api_key"; "Authorization": f"Basic {self.api_key}"Declare the required credential in metadata and load it from a secure environment variable or credential store rather than hardcoding it.
Personal travel and guest details may be sent to Booking.com or a partner API when making a reservation.
Reservation creation would involve guest information being sent through a Booking.com partner/API flow. This is purpose-aligned, but the data boundary and handling are not described in detail.
| create_booking_reservation | 创建预订 | hotel_id, room_id, guest_info |
Tell users what guest data will be sent, to which provider, and require confirmation before transmitting it.
Users have less information for verifying who maintains the code or where updates should come from.
The skill includes local code files but has limited provenance information and no homepage. No remote installer or hidden dependency execution is shown, so this is a provenance note rather than a standalone concern.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Code file presence: scripts/booking_api.py, scripts/openai_adapter.py
Install only if you trust the publisher, and prefer skills with a verifiable source repository or homepage.