ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vanio AI

v0.1.0

Connect your agent to Airbnb, Booking.com & VRBO via Vanio AI — the only way to manage vacation rentals from OpenClaw. 140 tools for reservations, guests, me...

0· 51·0 current·0 all-time
by@ivannikolovbg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary 'vanio', primary env var VANIO_API_KEY, and the npm package @vanio-ai/cli align: the skill is a CLI that connects to Vanio's API for property management.
Instruction Scope
SKILL.md instructs use of the vanio CLI (login, ask, chat, config). Runtime instructions reference only ~/.config/vanio/config.json, VANIO_API_KEY, and optionally VANIO_API_URL, and perform expected actions (open browser, run local callback server, call api.vanio.ai). There are no instructions to read unrelated system files or exfiltrate arbitrary data.
Install Mechanism
Install uses npm package @vanio-ai/cli (creates 'vanio' binary). npm installs are a common, expected mechanism for CLIs; this is moderate-risk compared to no-install, but appropriate for a Node CLI. Recommend verifying the package on the npm registry (publisher, version, integrity) before installing.
Credentials
Only VANIO_API_KEY is required (primary credential) and optional VANIO_API_URL; this is proportional to a service-API CLI. The CLI stores the API key plaintext in ~/.config/vanio/config.json—standard for many CLIs but worth noting because the key is persisted unencrypted.
Persistence & Privilege
Skill is not always-enabled and does not request system-wide privileges. It writes only to its own config path (~/.config/vanio/config.json) and does not modify other skills or system settings.
Assessment
This appears to be a legitimate CLI skill. Before installing: (1) confirm the npm package @vanio-ai/cli on the npm registry is the official publisher and matches vanio.ai; (2) be aware the CLI will store your VANIO_API_KEY in plaintext at ~/.config/vanio/config.json (consider using a scoped API key with limited permissions); (3) the CLI opens your browser and runs a temporary localhost server during login — this is normal for OAuth but ensure you run that flow only when you trust the site; (4) if you have security policies about CLI installs, review the package contents or vendor documentation first. If any of these raise concerns (unknown publisher, untrusted registry package), do not install.
src/index.ts:169
Shell command execution detected (child_process).
dist/index.cjs:2
Environment variable access combined with network send.
src/index.ts:34
Environment variable access combined with network send.
!
dist/index.cjs:2
File read combined with network send (possible exfiltration).
!
src/index.ts:1
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cjstps7xknbcxxz1qs9y69x844cqc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏠 Clawdis
Binsvanio
EnvVANIO_API_KEY
Primary envVANIO_API_KEY

Install

Install Vanio CLI (npm)
Bins: vanio
npm i -g @vanio-ai/cli

Comments