Paradiz
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s booking purpose is coherent, but it stores customer personal details and can use Telegram credentials from global OpenClaw settings to send that data without declaring those permissions.
Review this skill before installing. It looks like a real Paradiz booking assistant, but you should only use it if you are comfortable with it storing customer names, phones, emails, VK IDs, booking notes, and payment-related amounts locally, and with it sending selected booking details to a Telegram chat. Configure a dedicated Telegram bot/token and chat for this skill rather than relying on global OpenClaw Telegram settings.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or invoking the skill could let it use an existing Telegram bot credential from the user’s OpenClaw configuration, not just a Paradiz-specific token the user explicitly provided.
The script reads the global OpenClaw configuration and falls back to the general Telegram channel bot token, even though the supplied requirements declare no primary credential, env vars, or config paths.
cfg = Path('/home/openclaw/.openclaw/openclaw.json') ... bt = str(j.get('channels', {}).get('telegram', {}).get('botToken', '')).strip()Declare the Telegram credential and chat ID in metadata, remove fallback to global channel credentials, and require an explicit Paradiz-scoped token or user confirmation before sending notifications.
Customer personal and payment-related booking details may be forwarded to a Telegram chat controlled by the configured bot/chat settings.
The skill instructs the agent to send customer identity, contact, booking dates, room, and payment amount to Telegram, but the destination and authorization boundary are not clearly declared in the registry metadata.
После сообщения гостя о готовности внести предоплату отправлять в Telegram уведомление с данными гостя (ФИО, телефон, e-mail, даты, номер, сумма).
Document exactly which Telegram chat receives notifications, require opt-in or manager confirmation, and avoid sending more customer data than necessary.
Customer contact and booking details can remain in local skill files and may be exposed through backups, package sharing, or later agent context reuse.
The packaged data files contain persistent VK lead records with identifiers, names, phone numbers, emails, dates, rooms, and amounts, showing that customer data is stored inside the skill’s data directory.
"user_id": 14229263, ... "email": "keeper78@inbox.ru", "phone": "+79999999999", ... "fio": "Иванов Иван Иванович"
Remove bundled live-looking PII, store operational booking data outside the distributed skill package, and document retention, deletion, and access-control expectations.
If run with the wrong price file or database, the skill could change local pricing records used for quotes or bookings.
The price-sync helper can delete and rewrite pricing rows in a local SQLite database. This is purpose-aligned maintenance behavior and creates a backup first, but it is still a business-data mutation capability.
cur.execute('''DELETE FROM hotel_room_categories_cost
WHERE category=? AND date_from=? AND date_to=? AND number BETWEEN ? AND ?''',Run database-sync commands only on the intended Paradiz database, keep backups, and require explicit user approval before maintenance scripts mutate booking or pricing data.