一站式旅行预订
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Booking.com skill claims to provide real hotel and reservation data, but the visible code returns mock hotel data and the reservation-management instructions lack clear safeguards.
Review this skill carefully before installing. Treat its current hotel results as demo/mock data unless the real Booking.com API integration is completed, and do not use it to create or cancel reservations without explicit final confirmation and verified pricing, fees, and cancellation terms.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could make travel decisions based on fabricated or stale hotel information that appears to be live Booking.com data.
The implementation does not call the real Booking.com API for hotel search and instead returns mock hotels as a successful response, which can mislead users about real availability and prices.
# TODO: 实现真实的Booking API调用
# result = self._request("bookings.getHotels", params)
# 模拟返回数据
mock_hotels = [ ... ]Do not rely on the returned hotel prices or availability until the skill uses the real Booking.com API and clearly labels any demo/mock output.
If implemented or invoked as documented, the agent could create or cancel hotel reservations in ways that affect costs and travel plans.
The skill documents high-impact reservation creation and cancellation actions but does not specify mandatory user confirmation, payment review, cancellation-penalty checks, or safe rollback behavior.
| create_booking_reservation | 创建预订 | hotel_id, room_id, guest_info | | cancel_booking_reservation | 取消预订 | reservation_id |
Require explicit user confirmation immediately before any booking or cancellation, including dates, hotel, room, total price, fees, and cancellation terms.
Users may not be warned that a provider API key is needed and could handle the credential insecurely.
The code expects a Booking.com API credential, which is purpose-aligned, but the registry metadata declares no required environment variables or primary credential.
BOOKING_API_KEY = "your_api_key" # 需替换为实际的API Key
...
"Authorization": f"Basic {self.api_key}"Declare the required credential explicitly and load it from a secure environment variable or secret store rather than editing it into code or chat.
Personal travel and guest details may be sent to an external booking API as part of reservation creation.
Reservation creation necessarily involves guest information being passed to the booking provider, but the artifact does not define the exact fields, retention, or handling boundaries.
| create_booking_reservation | 创建预订 | hotel_id, room_id, guest_info |
Share only the information needed for the booking and confirm where guest data will be sent before creating a reservation.
It is harder to verify whether the skill is maintained by a trustworthy party or affiliated with Booking.com.
The skill has limited provenance information, which matters more because it claims to interact with booking APIs and handle booking-related authority.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Verify the publisher and API integration before providing credentials or using it for real reservations.