Travel Planner - Notion AI, Obsidian, Kontour.ai integration
PassAudited by ClawScan on May 3, 2026.
Overview
The visible artifacts look like an offline travel-planning helper, but the marketplace capability signals mention credentials and purchases even though the docs say they are not used.
This appears safe to use as an offline travel-planning aid based on the provided artifacts. Before installing, verify the repository/version, do not provide travel-account credentials or payment information, and treat any booking or OAuth capability as inactive unless a future version clearly documents it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be confused about whether the skill needs travel-account credentials or can make purchases.
These signals imply high-impact credential or purchase authority, while the visible SKILL.md and README claim no credentials, OAuth, or booking/payment execution. The provided code evidence does not show such use, so this is treated as a clarification note rather than a concern.
Capability signals: crypto; can-make-purchases; requires-oauth-token; requires-sensitive-credentials
Do not provide OAuth tokens, payment details, or booking account credentials unless a future version clearly documents and scopes that access.
Installing from an unverified repository could expose users to changed or unexpected files in later versions.
Installation is directed through a GitHub-style skill reference, while the registry source is listed as unknown. This is common for skills and not malicious by itself, but it is a provenance point users should verify.
npx skills add Bookingdesk-AI/kontour-travel-planner
Install only from the expected repository/version and review updates before enabling new capabilities.
If invoked with the wrong output path, it could overwrite a file the user can write to.
The export script can write a KML file to a user-specified path. This is purpose-aligned for map export and uses local processing, but users should ensure the output path is intentional.
Usage: ./export-gmaps.sh <itinerary.json> [--kml output.kml]
Use explicit, non-sensitive output locations for KML exports and review generated map links before sharing them.