tripclaw
PassAudited by ClawScan on May 10, 2026.
Overview
This skill does what it says—imports a user-provided trip to TripClaw via an API key—but users should review the trip data and protect the API key before syncing.
Before installing, confirm that api.tripclaws.com is the correct TripClaw API endpoint, keep your API key private, and ask the agent to show the itinerary JSON before importing. Avoid putting secrets or highly sensitive travel details on the command line when possible.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent sends incorrect generated data, that trip may be saved to the user's TripClaw account.
The included tool performs a POST to create/import trip data in the external TripClaw service. This is expected for the skill, but it is an account-changing action.
API_BASE_URL = "https://api.tripclaws.com" API_ENDPOINT = "/v1/trips/import" ... method="POST"
Preview or validate the trip JSON before import, and use the script's validate-only mode when unsure.
Anyone who obtains the API key may be able to act on the user's TripClaw account within that key's permissions.
The script uses a bearer API key to authenticate to TripClaw. This is purpose-aligned, but the key is sensitive delegated account authority.
"Authorization": f"Bearer {api_key}"Store the key in a local environment variable or secure config, avoid sharing it, prefer scoped/revocable keys if available, and rotate it if exposed.
Personal travel plans and related details will be shared with TripClaw when syncing.
The skill explicitly sends itinerary data, including locations, accommodations, activities, and budget, to an external provider API.
支持将行程数据(途经点、住宿、活动、预算等)通过 API 同步到用户的 TripClaw 账户。
Only sync data you are comfortable storing in TripClaw, and confirm the destination API endpoint is the one you intend to use.
It is harder for a user to independently confirm that the skill and API endpoint are officially associated with TripClaw.
The registry metadata does not provide an upstream source or homepage for verifying the publisher or official TripClaw integration.
Source: unknown Homepage: none
Install only if you trust the publisher, and verify the TripClaw API endpoint and API-key instructions through an official channel.