Hostex

v0.1.1

Hostex (hostex.io) OpenAPI v3.0 skill for querying and managing vacation rental properties, room types, reservations, availability, listing calendars, guest messaging, reviews, and webhooks via the Hostex API. Use when you need to integrate with Hostex API using a Hostex PAT (Hostex-Access-Token / HostexAccessToken) or when you need safe, intent-level API calls (read-only by default, optional write operations with explicit confirmation).

⭐ 1· 1.8k·0 current·0 all-time

byAnson@ansonfreeman

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

ℹ

Purpose & Capability

Name/description, OpenAPI file, and scripts consistently implement a Hostex API client (read and guarded write operations). However the registry metadata lists no required credentials while the SKILL.md and scripts require HOSTEX_ACCESS_TOKEN (and optionally HOSTEX_ALLOW_WRITES/HOSTEX_BASE_URL). This metadata mismatch is unexpected.

✓

Instruction Scope

SKILL.md and the scripts restrict actions to the Hostex API and local OpenAPI caching; write operations are gated by an environment flag and explicit --confirm flow. There are no instructions to read unrelated files or exfiltrate data to third-party endpoints.

✓

Install Mechanism

No install spec (instruction-only). Scripts are included in the bundle but there is no download-from-URL or third-party package installation. Risk from install mechanism is low.

Credentials

The skill legitimately requires an API token (HOSTEX_ACCESS_TOKEN) and optionally HOSTEX_ALLOW_WRITES and HOSTEX_BASE_URL, but the registry metadata declares no required env vars or primary credential. Requesting a Hostex PAT is proportional for the stated purpose, but the omission from metadata is an incoherence that should be resolved before granting credentials.

✓

Persistence & Privilege

always is false and the skill does not request automatic persistent privileges or modify other skills. The openapi-sync script writes a local openapi.json copy under skills/hostex/references, which is reasonable for caching but worth noting.

What to consider before installing

This package appears to be a straightforward Hostex API client (read operations by default, write operations require HOSTEX_ALLOW_WRITES=true and --confirm). However: 1) the registry metadata claims no required credentials even though the SKILL.md and scripts require HOSTEX_ACCESS_TOKEN (and optionally HOSTEX_ALLOW_WRITES and HOSTEX_BASE_URL) — treat this as a red flag and verify the publisher before supplying credentials; 2) prefer creating and using a read-only Hostex PAT; 3) if you run the included scripts, run them in an isolated environment and check what they log (the code redacts tokens but error objects may include redacted token snippets); 4) enabling HOSTEX_ALLOW_WRITES grants the skill the ability to make changes — require staged tests and manual confirmation; 5) verify hostex.io and the unknown skill source (no homepage) to ensure you're not giving credentials to a malicious or typo-squatted endpoint. If you want higher assurance, ask the publisher to correct the registry metadata to declare HOSTEX_ACCESS_TOKEN as the primary credential and provide a verifiable source/homepage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b10054x68x2pzgm409tzhwd80ebpb

1.8kdownloads

1stars

2versions

Updated 1mo ago

v0.1.1

MIT-0

Hostex API Skill (Node)

Auth (PAT)

Set env var: HOSTEX_ACCESS_TOKEN
Requests use header: Hostex-Access-Token: <PAT>
OpenAPI security scheme name: HostexAccessToken

Default recommendation: use a read-only PAT.

Dates / timezone

All date params are YYYY-MM-DD
Interpret dates in property timezone (no UTC timestamps)

OpenAPI source of truth

Stable OpenAPI JSON:

https://hostex.io/open_api/v3/config.json

Use scripts/openapi-sync.mjs to cache a local copy into references/openapi.json.

Quick commands (scripts)

All scripts expect HOSTEX_ACCESS_TOKEN.

Read-only (safe)

List properties:

node skills/hostex/scripts/hostex-read.mjs list-properties --limit 20

List reservations (by check-in range):

node skills/hostex/scripts/hostex-read.mjs list-reservations --start-check-in-date 2026-02-01 --end-check-in-date 2026-02-28 --limit 20

List reservations (by reservation code):

node skills/hostex/scripts/hostex-read.mjs list-reservations --reservation-code 0-1234567-abcdef

Get availability:

node skills/hostex/scripts/hostex-read.mjs get-availabilities --start 2026-02-10 --end 2026-02-20 --property-id 123

Writes (guarded)

Writes are disabled unless:

HOSTEX_ALLOW_WRITES=true

and you pass --confirm.

Send message:

HOSTEX_ALLOW_WRITES=true node skills/hostex/scripts/hostex-write.mjs send-message --conversation-id 123 --text "Hello!" --confirm

Update listing prices (single range example):

HOSTEX_ALLOW_WRITES=true node skills/hostex/scripts/hostex-write.mjs update-listing-prices \
  --channel-type airbnb \
  --listing-id 456 \
  --start 2026-02-10 \
  --end 2026-02-15 \
  --price 199 \
  --confirm

Update listing prices (multi-range in one request):

HOSTEX_ALLOW_WRITES=true node skills/hostex/scripts/hostex-write.mjs update-listing-prices \
  --channel-type booking_site \
  --listing-id 100541-10072 \
  --prices "2026-02-03..2026-02-05:599,2026-02-06..2026-02-07:699,2026-02-08..2026-02-09:599" \
  --confirm

Create reservation (Direct Booking) (example):

HOSTEX_ALLOW_WRITES=true node skills/hostex/scripts/hostex-write.mjs create-reservation \
  --property-id 123 \
  --custom-channel-id 77 \
  --check-in-date 2026-02-10 \
  --check-out-date 2026-02-12 \
  --guest-name "Alice" \
  --currency USD \
  --rate-amount 200 \
  --commission-amount 0 \
  --received-amount 200 \
  --income-method-id 3 \
  --confirm

Update property availabilities (close/open) (example):

# Close a property for a date range
HOSTEX_ALLOW_WRITES=true node skills/hostex/scripts/hostex-write.mjs update-availabilities \
  --property-ids "11322075" \
  --available false \
  --start-date 2026-02-03 \
  --end-date 2027-02-02 \
  --confirm