ClawHub

Travel Search

v1.5.0

Find the best travel deals by searching and comparing flights, hotels, Airbnb stays, car rentals, and ferries across multiple providers simultaneously. Smart...

1· 150·0 current·0 all-time
byAdrian Ambrosetti@adrianetti
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (search flights/hotels/ferries/etc.) match the declared runtime behavior: the SKILL.md documents calling MCP servers for Kiwi, Skiplagged, Trivago, Ferryhopper, optional local Airbnb/fli MCPs. Required binaries (only curl) and no env vars are proportionate to the stated purpose.
Instruction Scope
Instructions are focused on making JSON-RPC (MCP) calls via curl, parsing SSE and header files in /tmp (examples use curl -D /tmp/...). They do not ask for unrelated local secrets or global system reads. Note: examples show writing/reading temporary header files and using shell parsing (grep/awk), and the skill tells the agent to include booking deep links and explain trade-offs — all within expected scope for a travel aggregator.
Install Mechanism
No install spec — instruction-only skill. The repository includes a small helper shell script (scripts/mcp-call.sh) but there is no automatic download or archive extraction. This is the lower-risk model for skills; still inspect the helper script before executing.
Credentials
The skill declares no required environment variables, no credentials, and no config-path access. That is appropriate for a skill that performs unauthenticated HTTP calls to public MCP endpoints and for optional local MCP services the user must install separately.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not require persistent presence or elevated privileges. It relies on agent-run network calls only.
Assessment
This skill appears coherent with its travel-search description and mostly performs straightforward network calls to public MCP endpoints using curl. Before installing or invoking it: 1) Inspect scripts/mcp-call.sh to confirm it only wraps safe curl/json parsing and does not exfiltrate local files or secrets. 2) Verify the listed MCP endpoints (mcp.kiwi.com, mcp.skiplagged.com, etc.) are legitimate and accessible from your environment and that they accept unauthenticated MCP calls (some provider APIs may require keys or have usage policies). 3) Be aware the agent will make outbound HTTP requests and write temporary header files (examples use /tmp/*.txt); if you run agents with sensitive local credentials, ensure they are not exposed. 4) Optional providers (Airbnb via @openbnb/mcp-server-airbnb, fli) require separate, local installation (Node/Python) that you should install and review yourself. If you need higher assurance, ask the skill author for provenance (source repo/homepage) or perform a minimal test in a sandboxed environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk971p1jnhh50rnv4sxhms5aw7n83pcmm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✈️ Clawdis
Binscurl

Comments