酒店机票预订
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill claims to use live Booking.com data, but the included code returns mock hotel data and the reservation/cancellation workflow lacks clear user-confirmation safeguards.
Review this skill carefully before installing. It appears to be a demo or incomplete implementation because it returns mock hotel data despite claiming live Booking.com results. Do not use it to make booking decisions unless live API behavior is verified, and require manual confirmation before any reservation creation or cancellation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users could be shown fake or stale hotel prices, availability, ratings, or details while believing they came from Booking.com.
The code explicitly uses simulated hotel data instead of the real Booking.com API, while the skill description says data must come from Booking.com and must not be fabricated.
# TODO: 实现真实的Booking API调用
# result = self._request("bookings.getHotels", params)
# 模拟返回数据Do not rely on this skill for real travel decisions until mock responses are removed or clearly labeled as demo data and live API calls are implemented and verified.
An agent using the skill could potentially create or cancel travel reservations without sufficiently clear user review, causing charges or travel disruption.
The skill describes high-impact booking creation and cancellation actions but does not define approval, confirmation, policy-review, fee-review, or rollback safeguards.
预订管理:创建订单、查询订单、取消订单 ... create_booking_reservation | 创建预订 | hotel_id, room_id, guest_info ... cancel_booking_reservation | 取消预订 | reservation_id
Require explicit user confirmation immediately before any reservation creation or cancellation, including hotel, dates, guest details, total price, cancellation policy, and any fees.
A user may not realize that a real deployment would need a Booking.com API key with whatever account permissions that key grants.
The metadata declares no credential requirement, but SKILL.md states the Booking integration uses an API Key and the code includes BOOKING_API_KEY, so users should know that account/API authority is still involved.
Required env vars: none ... Primary credential: none
Declare the required credential explicitly and document the minimum required API scope, where it is stored, and which reservation actions it can authorize.