ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Booking Extranet Manager

v1.1.0

Manage Booking.com properties — download reservations, list/reply to guest messages, update rates. Wraps a Python CLI that automates the Booking.com extranet...

0· 90·0 current·0 all-time
byMatsei Ruka@matsei-ruka

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for matsei-ruka/booking-extranet-manager.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Booking Extranet Manager" (matsei-ruka/booking-extranet-manager) from ClawHub.
Skill page: https://clawhub.ai/matsei-ruka/booking-extranet-manager
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: BOT_DIR
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install booking-extranet-manager

ClawHub CLI

Package manager switcher

npx clawhub@latest install booking-extranet-manager
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md clearly requires BOOKING_USERNAME, BOOKING_PASSWORD (and optionally PULSE_TOTP_SECRET) plus BOT_DIR and a local Python environment to run a CLI that controls Chrome. The registry metadata listed no required env vars or primary credential — that is inconsistent. The credentials and filesystem access requested are coherent with the described purpose, but the published metadata not declaring them is a red flag (either metadata is incomplete or the package was mis-declared).
!
Instruction Scope
Runtime instructions tell the agent/user to read a .env file for credentials, activate a venv and run $BOT_DIR/cli.py, persist browser session in .chrome-data/, and use Chrome remote debugging on localhost:9222. Those actions are aligned with automating the extranet but they require filesystem access to sensitive artifacts (credentials, browser session cookies) and the ability to interact with a local browser debugging port — this expands scope beyond a simple API wrapper and should be explicitly acknowledged in metadata and security review.
Install Mechanism
This is an instruction-only skill (no install spec included). The SKILL.md recommends cloning a GitHub repo and pip installing requirements, but the skill itself does not perform downloads or write to disk. Instruction-only format is lower-risk from an install perspective; however following those instructions will install code from the referenced GitHub repo, so users should inspect that repo before running the install steps.
!
Credentials
The credentials requested by the SKILL.md (Booking login, password, optional TOTP secret) are reasonable for a tool that logs into the Booking.com extranet, and BOT_DIR is necessary to locate the CLI. However the registry claims no required environment variables/credentials — an incoherence. Also persisting TOTP secret and browser session locally increases the sensitivity of stored data; requiring these should be explicitly declared and justified in registry metadata.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable (normal). It instructs persisting browser sessions in .chrome-data/ (session cookies, auth tokens) and optionally a TOTP secret in .env — this is useful for automation but increases attack surface on the host. Autonomous invocation is allowed by default; combine that with stored credentials only if you trust the runtime and the code in the referenced repo.
What to consider before installing
Do not install blindly. Key points to consider before using: 1) Metadata mismatch: the skill's SKILL.md requires Booking credentials and BOT_DIR, but the published registry metadata lists none — ask the publisher to correct the metadata or proceed with caution. 2) Credentials and TOTP: the tool expects a .env file with your login/password (and optional TOTP seed). Storing these on disk and persisting Chrome session cookies (.chrome-data/) exposes sensitive tokens on the machine — store them only on a dedicated, secured host and rotate credentials after testing. 3) Inspect upstream code: the skill is instruction-only but points to a GitHub repo; review that repository's code (especially network calls and any telemetry/exfiltration) before cloning and pip installing. 4) Isolate execution: run the bot in a sandboxed VM or dedicated machine (or container) with an account that has limited access. 5) Chrome remote debugging: ensure localhost:9222 is not exposed to other hosts and that you understand how to start Chrome safely for remote debugging. 6) Prefer principle of least privilege: if Booking offers API tokens or scoped access, prefer those over full account passwords and persisted TOTP seeds. If you cannot review the repo or are uncomfortable with on-disk credentials/session persistence, treat the skill as untrusted and avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Environment variables
BOT_DIRrequiredAbsolute path to the booking-extranet-bot directory
BOOKING_HOTEL_IDoptionalDefault property hotel ID (optional, used when --hotel-id is omitted)
latestvk97c96et40zbp0m2ga9e7ddemn83jh65
90downloads
0stars
2versions
Updated 1mo ago
v1.1.0
MIT-0
Matsei Ruka@matsei-ruka
latest
Download

Booking.com Extranet Manager

Automate Booking.com property management through a Python CLI tool. Uses your locally installed Google Chrome (not a headless browser) to interact with the Booking.com partner extranet, avoiding bot detection.

Security Notes

  • Credentials are stored locally in a .env file in the bot directory — never transmitted elsewhere.
  • Browser session is persisted in .chrome-data/ so login + SMS 2FA only happens once. Delete this directory to clear the session.
  • Chrome remote debugging runs on localhost:9222 only — not exposed to the network.
  • The bot connects exclusively to admin.booking.com and account.booking.com.

Prerequisites

The CLI tool must be installed and configured on the host machine:

git clone https://github.com/matsei-ruka/booking-extranet-bot.git
cd booking-extranet-bot
python3 -m venv venv
source venv/bin/activate   # Linux/macOS
pip install -r requirements.txt

Then create a .env file with your credentials:

BOOKING_USERNAME=your_login_name
BOOKING_PASSWORD=your_password
BOOKING_HOTEL_ID=your_default_hotel_id  # optional

Google Chrome must be installed on the host machine.

Environment

  • BOT_DIR: Absolute path to the booking-extranet-bot directory
  • Python venv at $BOT_DIR/venv/bin/python3
  • CLI entry point: $BOT_DIR/cli.py

All commands output JSON to stdout. Logs go to stderr.

Available Commands

List Properties

Get all properties with hotel IDs and unread message counts.

cd $BOT_DIR && source venv/bin/activate && python3 cli.py list-properties

Returns:

{
  "status": "success",
  "action": "list-properties",
  "count": 3,
  "properties": [
    {"hotel_id": "10353912", "name": "Property Name", "unread_messages": 4}
  ]
}

Download Reservations

Download reservations for a date range. Use --json to get data directly, or omit it to save an Excel file.

# As JSON (for processing)
cd $BOT_DIR && source venv/bin/activate && python3 cli.py download-reservations --start 2026-03-01 --end 2026-09-30 --json

# As Excel file
cd $BOT_DIR && source venv/bin/activate && python3 cli.py download-reservations --start 2026-03-01 --end 2026-09-30

Options:

  • --start YYYY-MM-DD (required): Start date
  • --end YYYY-MM-DD (required): End date
  • --date-type: arrival (default), departure, or booking
  • --json: Return data as JSON instead of Excel
  • --output-dir: Directory for Excel file (default: ./downloads)

List Messages

List guest messages for a property. Defaults to unanswered.

cd $BOT_DIR && source venv/bin/activate && python3 cli.py list-messages --hotel-id 10353912

Options:

  • --hotel-id (required): Property hotel ID from list-properties
  • --filter: unanswered (default), sent, or all

Read Message

Open and read a specific conversation with reservation details.

cd $BOT_DIR && source venv/bin/activate && python3 cli.py read-message --hotel-id 10353912 --index 0

Options:

  • --hotel-id (required): Property hotel ID
  • --index (required): Message index from list-messages (0-based)

Send Message

Reply to a guest conversation. Always use list-messages first to get the correct index.

cd $BOT_DIR && source venv/bin/activate && python3 cli.py send-message --hotel-id 10353912 --index 0 --message "Thank you for your message"

Options:

  • --hotel-id (required): Property hotel ID
  • --index (required): Message index from list-messages (0-based)
  • --message (required): Reply text

Update Rates

Update room rates from the CSV pricing file.

cd $BOT_DIR && source venv/bin/activate && python3 cli.py update-rates
cd $BOT_DIR && source venv/bin/activate && python3 cli.py update-rates --hotel-id 13616005

Typical Workflow

  1. List properties to get hotel IDs and see which have unread messages
  2. List messages for properties with unread messages
  3. Read each conversation to understand the guest's request
  4. Send replies as appropriate
  5. Download reservations periodically to track bookings

First Run

On first run, Chrome opens and you must complete the login (including SMS 2FA). Subsequent runs reuse the session — no login needed until the session expires.

Comments

Loading comments...