Waltz Flight Assistant
ReviewAudited by ClawScan on May 13, 2026.
Overview
The plugin matches its flight-booking purpose, but it can send trip details to Waltz, persist trip identifiers, and make real bookings or card charges after user approval.
Install only if you want Waltz to handle real flight searches and bookings. Use the recommended HTTPS backend, review all itinerary and payment details carefully, give explicit approval only when ready to be charged, and clear the plugin’s local state if you want to reset its stored identity or active trips.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
During an active trip, short messages like “yes” or “continue” may be treated as instructions to proceed with the current flight flow.
The skill deliberately keeps active flight conversations routed through its booking tool and interprets short replies in context. This supports the stated purpose, but it can make ambiguous replies continue a booking workflow.
Treat short replies such as `1`, `2`, ... `yes`, `no`, `go ahead`, `book it`, `continue`, and `same one` as continuation turns... Never switch to unrelated tools or skills while a flight search or booking is in progress.
Use clear language when approving payments, and say “cancel this trip” or “start a different trip” before changing topics.
A confirmed approval can lead to an actual flight booking and card charge.
The plugin is designed to use a saved card and complete real bookings after approval. That is purpose-aligned, but it is high-impact account and payment authority.
If `flight_assistant` returns `APPROVAL REQUIRED`, ask the user for explicit approval to charge the saved card for the exact total shown.
Before approving, verify the itinerary, total price, merchant, card context, cancellation/refund terms, and that the payment link is the expected Stripe-hosted flow.
Your trip details, passenger information you provide, and booking workflow context may be processed by the Waltz backend.
Flight conversation messages are sent to the configured hosted A2A backend along with a stable OpenClaw identifier. This is expected for the integration, but it carries sensitive travel and booking context outside the local agent.
metadata: { openclawId: params.openclawId } ... fetch(`${requireBaseUrl(params.config)}/a2a`, { method: "POST", headers: buildHeaders(params.config), body: JSON.stringify(rpcBody)Use the recommended HTTPS Waltz backend unless you trust an alternate deployment, and review the provider’s privacy and booking policies before sharing sensitive travel details.
The assistant can resume active trips and retrieve bookings tied to the same local identity, but local state files also retain identifiers for that purpose.
The plugin persists a stable OpenClaw ID and active trip session metadata locally. Active sessions are time-limited, but the stored ID can link future booking recall to the same user identity.
await writeFile(filePath, `${generated}\n`, "utf8"); ... contextId: updates.contextId, ... channelId: updates.channelId ... conversationId: updates.conversationId ... accountId: updates.accountId ... expiresAt: now + ACTIVE_FLIGHT_TTL_MSIf you stop using the plugin or want to reset booking identity, disable the plugin and remove its state directory under the OpenClaw state path.