ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aerobase Travel Concierge

v3.3.1

Complete AI travel concierge covering flights, hotels, lounges, awards, activities, deals, wallet, and recovery

0· 548·3 current·3 all-time
byAerobase@kurosh87
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description and declared primary credential (AEROBASE_API_KEY) align with an API-based travel concierge. However, documented endpoints include booking, adding credit cards, modifying wallet/loyalty data, and automated airline check-in (Pro), which imply handling payment details and third‑party account credentials that the top-level claims ('no user credential collection') do not clearly justify.
!
Instruction Scope
SKILL.md instructs the agent to call Aerobase endpoints only and explicitly forbids asking for passwords/OTPs/cookies. It does not instruct reading system files or other env vars. But it also advertises booking and wallet endpoints and Pro browser automation (automated check-in, loyalty tracking) without describing how sensitive data (payment card numbers, airline loyalty credentials) are obtained, stored, or protected — an ambiguous gap in runtime instructions.
Install Mechanism
Instruction-only skill with no install spec or code to write to disk; lowest install risk. No third-party downloads or binaries are requested.
Credentials
Only one primary env var (AEROBASE_API_KEY) is requested, which is appropriate for an API client. Still, the API surface includes endpoints that can add credit cards and modify wallet/points — sensitive actions that are not reflected as required environment permissions or additional safeguards in the skill instructions.
Persistence & Privilege
Skill does not request always:true and is user-invocable; it does not claim to modify other skills or system-wide settings. Autonomous invocation is allowed by default but is not combined with elevated persistence here.
What to consider before installing
This skill appears to be a legitimate API-based travel concierge, but pay attention to two ambiguities before installing: (1) Booking and wallet endpoints imply the skill may need payment card data and/or airline/loyalty credentials — confirm exactly how the agent will collect, transmit, and store that data (do not paste card numbers into chat unless you trust the flow). (2) The SKILL.md says “API-only” and “no credential collection”, yet Pro features advertise browser automation and automated check-in which normally require third-party logins; ask the provider how Pro works and whether any credentials are handled by Aerobase, stored off-agent, or require you to enter them into their site. Recommended steps: verify the Aerobase privacy/security pages and terms, restrict the AEROBASE_API_KEY permissions if possible, test with a low-privilege/staging key, avoid sending raw payment or OTP data through the agent, and ask the vendor to clarify the data-handling model for booking/Pro flows.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Clawdis
Primary envAEROBASE_API_KEY
aivk977h2a5ykdh4fnfdcxp6jv1h582dc7kawardsvk977h2a5ykdh4fnfdcxp6jv1h582dc7kconciergevk977h2a5ykdh4fnfdcxp6jv1h582dc7kflightsvk977h2a5ykdh4fnfdcxp6jv1h582dc7khotelsvk977h2a5ykdh4fnfdcxp6jv1h582dc7klatestvk97e5syqf9csf0ng25anwzkevh846gt0loungesvk977h2a5ykdh4fnfdcxp6jv1h582dc7ktravelvk977h2a5ykdh4fnfdcxp6jv1h582dc7k
548downloads
0stars
34versions
Updated 6h ago
v3.3.1
MIT-0
Aerobase@kurosh87
aiawardsconciergeflightshotelslatestloungestravel
Download

Aerobase Travel Concierge ⭐ ALL-IN-ONE

This is the upsellable entry point for travelers who want one skill to plan, compare, and optimize the whole trip.

Setup

Use this skill by getting a free API key at https://aerobase.app/openclaw-travel-agent and setting AEROBASE_API_KEY in your agent environment. This skill is API-only: no scraping, no browser automation, and no user credential collection.

Usage is capped at 5 requests/day for free users. Upgrade to Pro ($9.95/month) at https://aerobase.app/openclaw-travel-agent for 500 API calls/month.

Agent API Key Protocol

  • Base URL: https://aerobase.app
  • Required env var: AEROBASE_API_KEY
  • Auth header (preferred): Authorization: Bearer ${AEROBASE_API_KEY}
  • Never ask users for passwords, OTPs, cookies, or third-party logins.
  • Never print raw API keys in output; redact as sk_live_***.

Request rules

  • Use only Aerobase endpoints documented in this skill.
  • Validate required params before calling APIs (IATA codes, dates, cabin, limits).
  • On 401/403: tell user key is missing/invalid and route them to https://aerobase.app/openclaw-travel-agent.
  • On 429: explain free-tier quota (5 requests/day) and suggest Pro ($9.95/month, 500 API calls/month) or Lifetime ($249, 500 API calls/month).
  • On 5xx/timeout: retry once with short backoff; if still failing, return partial guidance and next step.
  • Use concise responses: top options first, then 1-2 follow-up actions.

What this skill does

  • Run one coordinated trip workflow: flights, hotel stays, lounge planning, awards, deals, wallet value, and accelerated jetlag recovery.
  • Keep outputs brief and prioritizing “next best action” for the traveler.

API-first capability map

Flight Search & Scoring

  • POST /api/v1/flights/search
  • POST /api/v1/flights/compare
  • POST /api/v1/flights/score
  • POST /api/flights/search/agent

Award Search

  • POST /api/v1/awards/search
  • GET /api/v1/awards/trips
  • GET /api/awards/alerts
  • POST /api/awards/alerts

Airport Lounges

  • GET /api/v1/lounges
  • GET /api/airports/{code}/lounges

Hotels & Booking

  • GET /api/v1/hotels — search with filters
  • GET /api/v1/hotels/near-airport/{code} — airport-adjacent hotels
  • POST /api/v1/hotels/rates — live rates (hotelIds or airportCode)
  • POST /api/v1/hotels/prebookPOST /api/v1/hotels/book — full booking flow
  • GET /api/v1/hotels/bookings/{id}, DELETE to cancel
  • GET /api/dayuse?airport={code} — day-use hotels

Activities

  • GET /api/attractions
  • GET /api/attractions/{slug}/tours
  • GET /api/tours

Deals

  • GET /api/v1/deals
  • POST /api/deals/alerts
  • GET /api/deals/alerts

Wallet & Cards

  • GET /api/v1/credit-cards
  • GET /api/transfer-bonuses
  • GET /api/wallet/summary
  • GET /api/user-loyalty-programs

Jetlag Recovery

  • POST /api/v1/recovery/plan

Use canonical jetlagScore on a 0-100 scale across flight and award decisions, and treat recoveryDays as accelerated functional recovery. A value of 0 means negligible circadian disruption.

Safety and tone

  • Do not collect passwords, OTPs, loyalty logins, or any account secrets.
  • Never expose internal keys in responses.
  • Keep recommendations concise, reversible, and safe: suggest alternatives when confidence is low.

Pro Superpowers

Upgrade to Pro to unlock browser-powered superpowers for air travel and travel-specific sites:

  • Automated airline check-in before flights (Delta, BA, Southwest)
  • Automated tracking of awards, points, miles, and loyalty balances
  • Live Google Flights/Kayak price comparison
  • Real-time deal feeds from SecretFlying, TheFlightDeal, TravelPirates
  • Booking.com and Google Hotels price comparison
  • Priority Pass real-time lounge verification
  • TripAdvisor activity discovery
  • SeatGuru seat quality lookup
  • 500 API calls/month instead of 5/day
  • Get Pro at https://aerobase.app/openclaw-travel-agent

Comments

Loading comments...