Agent Hotel Booking
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: brek-ai Version: 1.0.2 The skill bundle is classified as suspicious due to a potential Server-Side Request Forgery (SSRF) vulnerability identified in the `brekRequest` function within `references/api-templates.md`. The function constructs a URL by concatenating `BREK_BASE_URL` and a `path` variable. If dynamic parts of the `path` (e.g., `{sessionId}` as used in `GET /sessions/{sessionId}`) are derived from unsanitized user input by the AI agent, an attacker could inject arbitrary URLs or paths, potentially leading to unauthorized internal network access or data exfiltration. While the `SKILL.md` provides strong security instructions (e.g., never request raw card data, never request secrets via unapproved channels) and the overall intent appears benign, this code pattern represents a significant vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill may perform real booking-related actions if connected to a live Brek partner account.
The skill can drive write-like booking, payment-confirmation, and cancellation events through the Brek API. This is central to the stated hotel-booking purpose and includes idempotency safeguards, but the actions can have real financial or travel consequences.
When `kind` is one of: ... `action_book_option` ... `action_confirm_payment_card` ... `action_cancel_booking` ... Always include `idempotencyKey`.
Use this only with clear user intent and require explicit confirmation before booking, cancellation, payment confirmation, or price-change confirmation events.
Installing or using the skill means delegating Brek partner API access to the agent runtime.
The skill requires a Brek partner API key and base URL. This is expected for the integration, but the registry requirement summary says no env vars or primary credential, so users may not see the credential requirement before reading the skill text.
metadata:\n required_env_vars: BREK_BASE_URL,BREK_PARTNER_API_KEY\n primary_credential: BREK_PARTNER_API_KEY
Declare the credential in registry metadata, store the key in a secret manager, restrict it to the minimum needed scope, rotate it if exposed, and ensure BREK_BASE_URL points only to the approved Brek endpoint.
Usage records may persist beyond the chat session and could reveal which users or tenants made booking-related API calls.
The skill instructs implementers to persist per-call usage records and reconcile them for billing. This is purpose-aligned, but it stores user/session identifiers and does not define a retention period for the billing log.
Store one immutable event per call: ... `partnerId`, `actorId`, `sessionId`, `endpoint`, `requestId`, `statusCode` ... Run daily reconciliation job
Document retention, access controls, and deletion policy for metering logs, and avoid storing raw payment data or unnecessary chat content.