Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
旅行预订助手
v1.0.0Booking.com国际酒店预订助手,支持全球酒店搜索、房型查询、价格对比、预订管理。Invoke when user wants to search international hotels, book hotels on Booking.com, or manage Booking.com reservat...
⭐ 0· 62·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's purpose is Booking.com integration and the SKILL.md insists on calling the Booking.com Affiliate API, but the code does not actually perform real API calls (TODOs and simulated/mock responses). The code contains BOOKING_API_KEY and BOOKING_AFFILIATE_ID placeholders instead of using declared/secure credentials. The skill does not declare any required environment variables or primary credential despite needing an API key for its stated purpose.
Instruction Scope
SKILL.md explicitly requires using Booking.com Affiliate/API and forbids fabricating data; however the runtime code (booking_api.py) returns simulated responses (mock_hotels) and comments out the real _request calls. That means the instructions and the actual runtime behavior diverge — the skill may not deliver the promised real-time data unless the code is modified. The instructions do not direct the agent to obtain credentials securely (e.g., from env vars).
Install Mechanism
There is no install spec (instruction-only), which minimizes supply-chain risk. However, the code requires python3 and the third-party requests library but does not declare dependency installation steps (no pip requirements). This omission is inconsistent with the declared required binaries and could cause runtime surprises.
Credentials
Although the skill needs Booking.com API credentials to function as described, requires.env is empty and no primary credential is declared. Instead the code contains literal placeholders (BOOKING_API_KEY = 'your_api_key'), which encourages editing source to insert secrets or keeping secrets in code — both are bad practices. The lack of declared env vars is disproportionate to the stated API integration.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request elevated host privileges or persistent installation. No evidence it modifies other skills or system-wide settings.
What to consider before installing
This skill is internally inconsistent: SKILL.md says it must call Booking.com affiliate APIs, but the included Python code returns mock data and leaves API keys as hardcoded placeholders. Before installing or running it, consider these actions: (1) Treat the repository as untrusted until you review and test it. (2) Do not paste real API keys into the source file; prefer to supply keys through secure environment variables and update the code to read them from env. (3) Verify the real API call paths are implemented (remove TODOs) and ensure requests/other dependencies are installed in a controlled way. (4) Confirm the publisher/source (no homepage is provided) and request provenance. If you cannot validate these changes and the source, avoid using the skill for real bookings — it may produce inaccurate results or require you to place credentials insecurely.Like a lobster shell, security has layers — review code before you run it.
latestvk97fy5p78y05t5e7wyrnhg8qrn83xqzp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌍 Clawdis
Binspython3