srt-booking

The skill is largely aligned with its stated travel-booking purpose and uses standard local secret handling plus a PyPI library. Main risks are moderate: a third-party package receives SRT credentials and can trigger real booking/cancel actions, but there is no clear sign of credential harvesting, hidden exfiltration, or unrelated capability creep.