Skills
skills/openclaw/skills/ctrip-hotel-search/Gen Agent Trust Hub

ctrip-hotel-search

Warn

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill requires users to store their Ctrip username and password in a local config.json file in plaintext. These credentials are used by the automation scripts in src/login.js to perform automatic logins. This pattern exposes sensitive user credentials to any entity that can read the file system.
  • [EXTERNAL_DOWNLOADS]: The installation instructions in README.md and QUICK_START.md require downloading external browser binaries using npx playwright install and various Node.js dependencies from the npm registry.
  • [COMMAND_EXECUTION]: The skill executes shell commands to automate browser setup and dependency management during the installation and update phases.
  • [DATA_EXFILTRATION]: The Python scripts search_hotels.py and search_with_brave.py send search queries and user-provided API keys to an external third-party gateway at gateway.maton.ai.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 30, 2026, 04:45 AM
Security Audit — agent-trust-hub — ctrip-hotel-search