Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
酒店机票预订
v1.0.0Booking.com国际酒店预订助手,支持全球酒店搜索、房型查询、价格对比、预订管理。Invoke when user wants to search international hotels, book hotels on Booking.com, or manage Booking.com reservat...
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe a Booking.com integration and the code implements a BookingApi wrapper plus an OpenAI adapter that exposes function-call handlers — that aligns with the declared purpose. However the SKILL.md and code state the skill must call Booking.com Affiliate API and use an API key, yet the skill metadata/requirements do not declare any required environment variables or primary credential. The provided booking_api.py contains placeholders (BOOKING_API_KEY, BOOKING_AFFILIATE_ID) instead of a clear mechanism for supplying secrets.
Instruction Scope
SKILL.md focuses on searching, details, room availability and reservations and explicitly requires using Booking.com Affiliate API and not fabricating data — this keeps scope narrow. The included Python modules follow that scope. A minor scope concern: many API calls are marked TODO and return simulated data, so runtime behavior may not actually contact Booking.com unless the code is changed; it's unclear whether/when the real network calls would run.
Install Mechanism
No install spec is provided (instruction-only/install-free). The skill includes Python source files but does not declare any package installs or external downloads. Risk from install mechanism is low, but running the included Python code will execute whatever network or filesystem operations it contains.
Credentials
The skill claims an API Key authentication model (SKILL.md) and booking_api.py defines BOOKING_API_KEY and BOOKING_AFFILIATE_ID, but requires.env is empty and no primary credential is declared. That mismatch is concerning: the skill needs sensitive credentials to operate correctly, yet it doesn't declare how those credentials should be supplied (env var, config file, or during setup). This gap can lead to accidental hardcoding or insecure handling of keys if implementers fill placeholders improperly.
Persistence & Privilege
Skill flags show no 'always: true' and no special OS or config path requirements. It does not request persistent system privileges or attempt to modify other skills or system-wide settings. Autonomous invocation is enabled by default but is not combined here with broad credential or privileged access.
What to consider before installing
This skill appears to implement a Booking.com integration but has some gaps you should resolve before installing or running its code: 1) Confirm how the Booking API credentials will be provided — the code uses placeholders (BOOKING_API_KEY / BOOKING_AFFILIATE_ID) but the skill metadata doesn't declare required env vars; prefer supplying keys via well-named environment variables or a secure secret store rather than editing source files. 2) Review the Python files locally before execution (they call network endpoints and set an Authorization header). 3) Ask the publisher to clarify the meaning of the 'required' flag in SKILL.md metadata and to update the skill to declare required credentials and a safe install/run guide. 4) Because some API calls are stubbed with mock data, verify whether/when the code will perform live API requests and test in a controlled environment. If you don't trust the source, do not run the included Python code or provide real API keys until these questions are answered.Like a lobster shell, security has layers — review code before you run it.
latestvk9729m3vb4v0s1ye1kwv64scrs83x4q1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌍 Clawdis
Binspython3