← Back to Skills Marketplace
leo9

Agent Hotel Booking

by leo9 · GitHub ↗ · v1.0.2
cross-platform ⚠ suspicious
592
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install brek-ai
Description
Integrate with Brek Partner Core Chat API for hotel-search and booking assistant flows. Use when an agent needs to create or continue Brek chat sessions, sen...
README (SKILL.md)

Brek AI Partner Core Chat

Execute Brek through /api/partner/v1/core-chat.

Use this execution order:

  1. Create one session per end user (POST /sessions) with a stable actor.actorId.
  2. Reuse that session for all follow-up messages (POST /events).
  3. Read the latest state when needed (GET /sessions/{sessionId}).

Do not share one session across different users.

Required runtime inputs

Require these inputs before calling Brek:

  • BREK_BASE_URL
  • BREK_PARTNER_API_KEY
  • actorId (stable partner-side end-user ID)
  • workspaceId or tenant context if your product uses workspaces
  • partnerId (stable partner tenant ID for idempotency and billing grouping)
  • clientActionId for each write-like event kind

If one required input is missing, stop and request it.

If BREK_PARTNER_API_KEY is missing:

  • stop outbound calls
  • ask the user to get the key from their internal owner or approved support channel
  • never request secrets through unapproved channels

Call safety guardrails

Apply these guardrails before every upstream call:

  1. Enforce local budget limits from references/call-control.md.
  2. Attach a deterministic idempotencyKey for all write-like event kinds.
  3. Respect 429 with retry-after and exponential backoff.
  4. Open a circuit breaker after repeated 5xx or timeout failures.
  5. Log x-request-id, x-partner-id, x-ratelimit-limit, and x-ratelimit-remaining.

Never retry booking or payment-confirm actions without the same idempotencyKey.

Event-kind rules

When kind is one of:

  • command_book_by_option_id
  • action_book_option
  • action_confirm_price_change
  • action_confirm_payment_card
  • action_cancel_booking

Always include idempotencyKey.

Generate idempotencyKey as:

  • \x3CpartnerId>:\x3CsessionId>:\x3Ckind>:\x3CclientActionId>

If partnerId is unavailable in your runtime, use stable tenant context (for example workspaceId) and keep the key format deterministic.

Payment handling

Handle payment in two layers:

  1. End-user card setup and confirmation in secure portal flow.
  2. Agent-to-agent usage billing and settlement.

Follow references/payment-and-billing.md for both layers.

Hard rules:

  • Never request or store raw card number, CVV, or full PAN in chat.
  • Accept only tokenized paymentMethodId from provider-hosted fields.
  • Require explicit user confirmation before action_confirm_payment_card and booking actions.

Response mapping

Map Brek response as:

  • data.result.status -> state machine key for UI and orchestration
  • data.result.message.text -> user-visible assistant text
  • data.result.artifacts -> structured payload (shortlist, payment setup URL, booking metadata)

Error handling

  • 400: request validation failed. Fix payload.
  • 401/403: API key issue. Stop calls. Tell user to rotate or provision key through their internal owner or approved support channel.
  • 404: session not found or wrong tenant.
  • 409: actor/session mismatch. Recreate correct session.
  • 429: throttle locally and retry by retry-after.
  • 5xx: retry with backoff, then open breaker.

References

Read only what you need:

  • API payload templates: references/api-templates.md
  • Call-control and anti-abuse policy: references/call-control.md
  • Payment and billing orchestration: references/payment-and-billing.md
Usage Guidance
This skill appears to be what it says: a Brek partner core-chat integration. Before installing, verify these points: 1) Confirm which metadata is authoritative — the package registry claims no required env but SKILL.md requires BREK_BASE_URL and BREK_PARTNER_API_KEY; do not provide your API key until you resolve this discrepancy. 2) Ensure the platform will store BREK_PARTNER_API_KEY securely (encrypted at rest, access-controlled) and will not leak it in logs, prompts, or telemetry. 3) Enforce the idempotency, rate-limit, and budget controls described (dedupe store, budget kill-switch) — otherwise you may incur unexpected charges. 4) Because this is an instruction-only skill (no code to audit), run it in a least-privilege execution environment and review network egress policies so the agent can only call your intended BREK_BASE_URL. 5) Confirm the product enforces the SKILL.md's prohibition on collecting raw card data and that any payment flows rely on provider-hosted tokenized fields. If you cannot validate the registry/skill metadata mismatch or secure secret storage, treat the skill as high-risk and delay granting it access to real credentials.
Capability Analysis
Type: OpenClaw Skill Name: brek-ai Version: 1.0.2 The skill bundle is classified as suspicious due to a potential Server-Side Request Forgery (SSRF) vulnerability identified in the `brekRequest` function within `references/api-templates.md`. The function constructs a URL by concatenating `BREK_BASE_URL` and a `path` variable. If dynamic parts of the `path` (e.g., `{sessionId}` as used in `GET /sessions/{sessionId}`) are derived from unsanitized user input by the AI agent, an attacker could inject arbitrary URLs or paths, potentially leading to unauthorized internal network access or data exfiltration. While the `SKILL.md` provides strong security instructions (e.g., never request raw card data, never request secrets via unapproved channels) and the overall intent appears benign, this code pattern represents a significant vulnerability.
Capability Assessment
Purpose & Capability
The skill's declared purpose (Brek Partner Core Chat for hotel search/booking) matches the runtime instructions and API templates: calls to BREK_BASE_URL, use of a partner API key, idempotency, rate-limiting and payment flow rules are appropriate for this integration. The required runtime inputs (actorId, workspaceId, partnerId, clientActionId) and storage requirements (idempotency store, budget/usage logs) also make sense for a booking/billing integration.
Instruction Scope
SKILL.md narrowly instructs how to create/reuse sessions, send events, enforce call-control, handle idempotency, and do payment setup without collecting raw card data. It does not ask the agent to read unrelated system files or exfiltrate data to third-party endpoints; all external calls are described as going to BREK_BASE_URL. The included references restrict behavior (e.g., never collect PAN/CVV) which reduces scope creep.
Install Mechanism
This is instruction-only with no install spec and no code files to execute. That means there is no automated download or install risk from the skill package itself. However, instruction-only status also means there is nothing to audit beyond the prose.
Credentials
The SKILL.md metadata lists BREK_BASE_URL and BREK_PARTNER_API_KEY as required_env_vars and sets BREK_PARTNER_API_KEY as primary_credential — which is appropriate for the described integration — but the registry-level requirements section at the top of the package claims 'Required env vars: none' and 'Primary credential: none'. This metadata mismatch is an incoherence: the skill will need an API key at runtime but the registry entry does not declare it. Verify which is authoritative. Apart from that, the set of secrets requested is limited and proportional to purpose.
Persistence & Privilege
The skill does not request always-on presence and is not marked always:true. It asks implementers to maintain local dedupe/budget/usage stores, which is reasonable for idempotency and billing; that implies persistent storage but not elevated system-wide privileges. The agents/openai.yaml file sets allow_implicit_invocation: false, which is a good restriction (prevents implicit invocation by default).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install brek-ai
  3. After installation, invoke the skill by name or use /brek-ai
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Version 1.0.2 - Added initial OpenAI agent configuration file: agents/openai.yaml - Updated SKILL.md to include a metadata section detailing required environment variables, inputs, and storage requirements.
v1.0.1
brek-ai v1.0.1 - Added `partnerId` and `clientActionId` as required inputs before operations; included deterministic idempotency guidance if `partnerId` is missing. - Clarified secure process for handling missing API keys—direct users to internal owners or approved support channels rather than email contacts. - Revised payment and error handling instructions to avoid requesting secrets or card data through unapproved channels. - Updated error handling: now instructs on using internal procedures to rotate or provision API keys instead of publicly emailing for access. - Improved guarding on when to stop outbound calls if required inputs are missing.
v1.0.0
- Initial release of the brek-ai-skill for integrating with Brek Partner Core Chat API. - Supports hotel search and booking assistant flows with secure session management. - Enforces anti-abuse call controls and idempotency requirements for booking and payment actions. - Handles payment via tokenized methods and explicit user confirmation, without collecting raw card data. - Provides clear runtime input requirements and error handling guidance. - Includes response mapping standards for UI/orchestration.
Metadata
Slug brek-ai
Version 1.0.2
License
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is Agent Hotel Booking?

Integrate with Brek Partner Core Chat API for hotel-search and booking assistant flows. Use when an agent needs to create or continue Brek chat sessions, sen... It is an AI Agent Skill for Claude Code / OpenClaw, with 592 downloads so far.

How do I install Agent Hotel Booking?

Run "/install brek-ai" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Agent Hotel Booking free?

Yes, Agent Hotel Booking is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Agent Hotel Booking support?

Agent Hotel Booking is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Agent Hotel Booking?

It is built and maintained by leo9 (@leo9); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments