Back to plugin

Security audit

MoodTrip Hotel Search

Security checks across malware telemetry and agentic risk

Overview

The plugin's code, instructions, and requirements are coherent with a hotel-search/booking integration that talks to a public MoodTrip MCP server; it does not request unrelated credentials or hidden access, but pay attention to a few installer/integration instructions that run remote code.

This plugin appears to do what it says: register hotel-search tools and call MoodTrip's public MCP server for live pricing and booking links. It does not ask for credentials or read local secrets. Before installing: (1) verify the MCP server URL (https://api.moodtrip.ai/api/mcp-http) is correct and you trust moodtrip.ai; (2) avoid blindly running the `npx -y mcp-remote ...` command unless you trust the npm package—npx will fetch and execute remote code; (3) note the plugin may be auto-invoked when users mention hotels (normal for such a plugin), so consider whether you want that behaviour enabled by default; (4) if you require stricter review, inspect the package publish source (repository URL) or run the plugin in a sandboxed environment first.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.