← Back to Skills Marketplace
Show Booking
by
danielfoch
· GitHub ↗
· v0.1.0
729
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install show-booking
Description
Book real estate showing tours from emailed or pasted listing details, including extracting listing data, preparing outbound call jobs, coordinating a callin...
Usage Guidance
This skill's local scripts (parsing, planning, .ics creation) are coherent and low-risk, but the critical calling step is delegated to an external 'tour-booking' component that is not included and which the references say uses ElevenLabs (voice API). Before installing or running this skill: (1) confirm where 'tour-booking/scripts/place_outbound_call.py' lives and inspect its code and endpoints; (2) don't provide ELEVENLABS_API_KEY or related credentials unless you trust that sub-agent and have audited its behavior; (3) if you need to test, use the documented --dry-run mode so no live calls or external network transmission happens; (4) consider privacy and telemarketing/regulatory obligations before allowing live calls that transmit client PII; (5) request the publisher to update metadata to declare required environment variables and dependencies (so the credential access is explicit). If you cannot verify the external calling component, treat the calling/delegation portion as a potential data-exfiltration risk and avoid enabling live-call execution.
Capability Analysis
Type: OpenClaw Skill
Name: show-booking
Version: 0.1.0
The skill bundle is classified as suspicious due to a Local File Inclusion (LFI) vulnerability risk. The Python scripts (`scripts/intake_request.py`, `scripts/orchestrate_showings.py`, `scripts/create_invite_ics.py`) accept file paths as command-line arguments (e.g., `--input-file`, `--input`). A malicious prompt could instruct the AI agent to provide paths to arbitrary sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), potentially leading to information disclosure if the agent is instructed to output error messages or partial content. While the scripts expect JSON input and would error on non-JSON files, the ability to attempt reading arbitrary files without path validation is a significant vulnerability. There is no evidence of intentional malicious behavior like data exfiltration or remote code execution.
Capability Assessment
Purpose & Capability
The name/description align with the included scripts (parsing intake, building call queues, and producing .ics files). However, the runtime workflow explicitly delegates outbound calling to a separate 'tour-booking' sub-agent (place_outbound_call.py) and the references document mentions ElevenLabs API keys — yet the skill metadata declares no required environment variables or primary credential. That omission is disproportionate to the stated end-to-end calling capability.
Instruction Scope
SKILL.md tells the agent to run local scripts and to invoke an external sub-agent script for placing outbound calls. The provided code is local and file-based, but the calling step hands off listing metadata, client identity, and callbacks to 'tour-booking', which is not included here. That sub-agent is described as handling ElevenLabs integration (voice calls) and could transmit PII to external services. The instructions therefore implicitly permit network calls and transmission of personal data without declaring those endpoints/credentials.
Install Mechanism
There is no install spec and the code shipped is small, local Python scripts. Nothing in this package attempts to download or install external binaries; risk from the install mechanism itself is low.
Credentials
The 'integration-notes' reference required environment variables for live calls (ELEVENLABS_API_KEY, ELEVENLABS_AGENT_ID, optional ELEVENLABS_OUTBOUND_URL), but the skill's declared requirements list none. A skill that initiates outbound voice calls would legitimately need such credentials — their absence from the metadata is an incoherence that hides the need to supply sensitive keys to enable the full workflow.
Persistence & Privilege
The skill does not request always:true, system-level config paths, or persistent privileges. It reads/writes local files under paths supplied at runtime (e.g., /tmp or user-provided paths), which is consistent with its described function.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install show-booking - After installation, invoke the skill by name or use
/show-booking - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of show-booking skill—automates requesting and confirming real estate showings.
- Parses free-form requests or emailed listing details to extract booking data.
- Builds and manages per-listing outbound call jobs, including data quality checks.
- Coordinates a calling sub-agent for live or dry-run outbound booking calls.
- Generates calendar invites (.ics) for confirmed showings.
- Returns concise confirmations and blocks incomplete requests (e.g., missing phone numbers).
- Implements guardrails for legal compliance, caller identification, and audit trails.
Metadata
Frequently Asked Questions
What is Show Booking?
Book real estate showing tours from emailed or pasted listing details, including extracting listing data, preparing outbound call jobs, coordinating a callin... It is an AI Agent Skill for Claude Code / OpenClaw, with 729 downloads so far.
How do I install Show Booking?
Run "/install show-booking" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Show Booking free?
Yes, Show Booking is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Show Booking support?
Show Booking is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Show Booking?
It is built and maintained by danielfoch (@danielfoch); the current version is v0.1.0.
More Skills