Skillv1.0.19

ClawScan security

MoodTrip Hotel Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 29, 2026, 8:30 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (connecting to api.moodtrip.ai for hotel searches) matches its description, but it asks the agent/platform to auto-edit configuration and to run a dynamically fetched npm package (npx mcp-remote@latest), which is a notable supply‑chain and privilege risk and is unexplained by the manifest.
Guidance: This skill appears to do what it claims (hotel search via MoodTrip) but contains two notable risks: 1) it asks the platform to auto-edit persistent config so the MCP server is added (the agent would need permission to write/patch platform settings and restart), and 2) the MCP bridge is configured as 'npx mcp-remote@latest ...', which fetches and runs unpinned code from npm each time the bridge is installed/started (supply-chain risk). Before installing: (a) confirm you trust the MoodTrip project and/or its GitHub repo and the skill author (source is listed as unknown in the registry), (b) prefer a pinned package version or an integrity-checked release rather than '@latest', (c) if possible perform the config changes manually (review and run the npx command yourself) instead of allowing an agent to auto-edit platform settings, and (d) review the mcp-remote package source and the referenced GitHub repo (https://github.com/adiny/moodtrip-hotel-search) to ensure no unexpected behavior. If you cannot review or restrict the agent's ability to edit platform config, treat this skill as higher risk.

Review Dimensions

Purpose & Capability: okName/description and runtime instructions align: the skill only describes searching/comparing/handing off hotels via an MCP server and provides MCP connection instructions and tool names consistent with that purpose.
Instruction Scope: concernSKILL.md instructs the agent to read platform configuration paths and — if running on OpenClaw with config-edit capability — to automatically patch platform config to add an MCP server entry and restart the session. Reading and editing platform config is within the stated goal of connecting the MCP server, but granting the agent automatic config-edit and restart rights is high privilege and broad in scope; the instructions also insist on running a stdio bridge rather than using a direct HTTP URL, which requires the platform to execute additional code.
Install Mechanism: concernThe included mcp.json config runs 'npx -y mcp-remote@latest ...'. That command will fetch and execute the 'mcp-remote' package from npm at runtime using the 'latest' tag (non‑pinned), a dynamic supply‑chain risk. There is no pinned version or integrity check provided. Although no archive download URL or obscure host is present (npm is a known registry), using 'latest' to run code on the host elevates risk beyond an instruction-only skill.
Credentials: okThe skill declares no required environment variables, no credentials, and the SKILL.md states the MCP server is public read-only. There are no unusual credential requests in the manifest or instructions.
Persistence & Privilege: concernThe skill recommends adding a persistent MCP server entry to the platform config (mcpServers.moodtrip), which will create a persistent execution entry that runs 'npx mcp-remote' when the platform loads tools. While persistence is needed to expose tools, this makes the platform repeatedly execute remotely fetched code on each session start and requires the agent/platform to allow writing/patching platform config — a higher privilege than simple request-response behavior.