Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
行程预订中心
v1.0.0Booking.com国际酒店预订助手,支持全球酒店搜索、房型查询、价格对比、预订管理。Invoke when user wants to search international hotels, book hotels on Booking.com, or manage Booking.com reservat...
⭐ 0· 67·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match a Booking.com booking helper and the code implements search/detail/booking functions, which is coherent; however the SKILL.md insists on using Booking.com Affiliate API and API Key but the package does not declare or request any credentials or configuration mechanism — instead the code contains hard-coded placeholders (BOOKING_API_KEY = "your_api_key", BOOKING_AFFILIATE_ID = "your_affiliate_id"). That omission is inconsistent with the stated purpose and could force users to edit code to supply secrets.
Instruction Scope
SKILL.md restricts behavior (must call official Affiliate API, do not fabricate data) and documents endpoints. The included Python modules appear to call external endpoints via requests and also contain mocked returns and TODOs (i.e., real API calls are not implemented). The instructions do not explain how to supply credentials or where network traffic is sent at runtime beyond the documented Booking.com base URL, so runtime behavior may differ from the SKILL.md promise.
Install Mechanism
No install spec is provided (instruction-only installation), which minimizes installation risk — the skill only requires python3 on PATH and ships Python source files. No external archives or untrusted download URLs are used.
Credentials
The code requires an API key and affiliate ID to operate with Booking.com, but the skill declares no required environment variables or primary credential; credentials are hard-coded as placeholders in the source. This is disproportionate: an API-integrated skill should declare its credential requirements (env vars or config) rather than expect direct code edits. No other secrets are requested, which is appropriate, but the missing credential-handling is a red flag.
Persistence & Privilege
The skill does not request permanent/always-on presence, does not declare filesystem config paths, and is user-invocable only. There is no indication it modifies other skills or global agent settings.
What to consider before installing
Do not install or use this skill as-is. Before proceeding: (1) confirm you have a legitimate Booking.com affiliate/API account and integration rights; (2) insist the skill declare required credentials (e.g., BOOKING_API_KEY, AFFILIATE_ID) as environment variables or a secure config rather than hard-coding them into source; (3) review and complete the TODOs — the code currently returns mock data and appears incomplete/truncated, which may cause runtime errors or unexpected behavior; (4) verify all outbound network endpoints are the official Booking.com distribution endpoints and that no other hidden endpoints are contacted; (5) run the code in a sandboxed environment and avoid pasting real API keys until you’re satisfied; (6) prefer a version that uses standard credential handling (env vars, secrets manager) and explicit documentation of data flows. If the author cannot justify why credentials are left out or why code is incomplete, treat the package as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97ahpgsp5zaghpnqex752by9n83wfg0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌍 Clawdis
Binspython3