酒店管家
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill fits hotel OTA management, but it can change live prices/inventory and run recurring order sync without clear confirmation, rollback, or containment safeguards.
Review carefully before installing. Use test accounts first, provide least-privilege OTA/PMS credentials, use a dedicated browser profile, require manual confirmation before any live price/inventory/status change, and do not run automatic order sync unattended until monitoring and stop procedures are clear.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unintended invocation could publish incorrect room prices to OTA accounts.
The browser automation workflow instructs the agent to modify a live OTA price field and submit it. The artifacts do not add an explicit approval, dry-run, or rollback step before saving.
5. 找到对应的价格输入框,将其值修改为 "${newPrice}"。 ... 6. 点击页面底部的“保存”或“提交”按钮。Require explicit user confirmation showing platform, room type, date, old value, new value, and expected impact before submitting any live OTA change; add dry-run and rollback instructions.
One wrong room, date, or base price could propagate across multiple OTA platforms at once.
A single price update is applied across all configured OTA clients concurrently, with no documented per-platform confirmation, blast-radius limit, or rollback handling.
const results = await Promise.all(this.clients.map(async client => { ... return await client.updatePrice(roomTypeId, date, platformPrice); }));Add platform selection, preview mode, per-platform confirmation, partial-failure handling, and a rollback plan for bulk updates.
The agent may be able to act as the hotel operator in OTA and PMS systems.
The skill uses OTA/PMS credentials and existing logged-in browser sessions. This is purpose-aligned, but it is sensitive delegated account access.
env_vars: OTA_CTRIP_API_KEY, OTA_CTRIP_SECRET, OTA_MEITUAN_API_KEY, OTA_MEITUAN_SECRET, INTERNAL_PMS_URL, INTERNAL_PMS_TOKEN ... UI 自动化模式利用 Agent 已有的浏览器会话
Use least-privilege API keys, a dedicated browser profile/account, and separate test credentials before production use.
Order synchronization may keep running and repeatedly process orders until the process is stopped.
When started, the order sync service continues polling on an interval. This is disclosed and purpose-aligned, but no stop, monitoring, or lifetime guidance is provided.
startAutoSync(intervalMs = 60000) { ... setInterval(() => this.syncOrders(), intervalMs); this.syncOrders(); }Document how to start, stop, monitor, and limit the recurring sync process, and avoid unattended production use until tested.
Guest or booking data could be transferred between OTA providers and an internal PMS when the integration is completed and configured.
The design moves OTA order data into an internal PMS destination. This is aligned with the stated purpose, but guest/order data boundaries and privacy controls are not fully documented.
const orders = await client.fetchNewOrders(); ... await this.pushToInternalSystem(order, client.platformKey);
Use HTTPS-only allowlisted PMS endpoints, minimize transferred fields, avoid logging personal data, and document retention and access controls.
Users have less provenance and setup assurance for a skill that can affect business systems.
The package source and homepage are not provided, and runtime/credential requirements are under-described in registry metadata, although the included source code is available for review and no remote installer is shown.
Source: unknown; Homepage: none; Required binaries ... none; Install specifications: No install spec — this is an instruction-only skill.
Publish a source repository/homepage and declare Node.js, credential, and configuration requirements in metadata.