ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daolv Hotel Booking

Hotel discovery, shortlist comparison, and booking handoff using the ai-go-hotel MCP server (getHotelSearchTags, searchHotels, getHotelDetail). Use when user...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 407 · 2 current installs · 2 all-time installs
byKaiChan@cnchenkai
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (hotel discovery, shortlist, booking handoff via ai-go-hotel MCP) aligns with the SKILL.md workflow and referenced MCP calls (getHotelSearchTags, searchHotels, getHotelDetail). However, the skill packages a prefilled MCP Authorization header in references/mcp-client-config.json rather than declaring a credential or requiring the integrator to supply a key, which is unexpected and disproportionate to the stated purpose.
Instruction Scope
SKILL.md instructions are narrowly focused on collecting booking constraints, calling the three MCP endpoints, caching tags per task, enriching finalists, and producing a concise decision-ready output. That scope is consistent with the stated purpose. It does, however, direct use of the embedded MCP preset (references/mcp-client-config.json) so user booking queries and associated user-provided constraints will be sent to https://mcp.aigohotel.com/mcp under the embedded Authorization header—an external data flow that should be explicit to users.
Install Mechanism
There is no install spec and no code files beyond documentation; the skill is instruction-only. This minimizes on-disk arbitrary code installation risk.
!
Credentials
The skill declares no required env vars or primary credential, yet references a JSON client preset that contains a hard-coded Authorization: Bearer mcp_171e1ffa7da343faa4ec43460c52b13f. Bundling a bearer token in the skill is disproportionate and incoherent with the declared requirements and the SKILL.md's own admonition to avoid credential exposure. It raises questions about who owns the token, whether it is valid, and whether calls will run under a third party's account.
Persistence & Privilege
The skill is not configured as always:true and has no install scripts or code that would modify other skills or agent-wide settings. It appears to require only normal, user-invoked access.
What to consider before installing
This skill appears to do what it claims (hotel search and detail enrichment via the ai-go-hotel MCP), but it includes a hard-coded MCP Authorization bearer token inside references/mcp-client-config.json while declaring no required credentials — a red flag. Before installing or publishing: 1) Ask the author why a prefilled bearer token is included and whether it is a placeholder. 2) Do not publish or use the skill until the token is removed or replaced with a configuration that requires the integrator to supply their own API key (via env var or secure secret store). 3) If you already installed or tested the skill using the embedded token, consider that user booking queries (destination, dates, possibly PII) were sent to the external endpoint under that token — ask the owner for retention, logging, and privacy policies. 4) If you control the server side of this integration, rotate any exposed keys immediately. 5) Prefer skills that declare required credentials explicitly and do not embed secrets in code or config files.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.3
Download zip
latestvk9738k6bh0p7xfmb0g5ey879xs81t3tc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Daolv Hotel Booking

Provide reliable hotel planning and booking support with structured MCP calls and decision-ready outputs.

Workflow

  1. Capture booking intent before calling tools
  • Extract: destination, check-in date, nights, adults/children, room count, budget, purpose (business/family/leisure), required amenities, preferred/avoided brands.
  • If key constraints are missing, ask only the minimum follow-up questions.
  1. Prime tags once per task
  • Call ai-go-hotel.getHotelSearchTags once.
  • Cache returned tags for the rest of the conversation.
  • Use those tags to build hotelTags.requiredTags, preferredTags, excludedTags, and optional budget constraints.
  1. Search hotels with normalized parameters
  • Call ai-go-hotel.searchHotels with:
    • place
    • placeType
    • originQuery
    • optional checkInDate, stayNights, adultCount, size, starRatings, hotelTags, countryCode, distanceInMeter, withHotelAmenities, language
  • Prefer size=8-12 for first pass; narrow to top 3-5 in final output.
  • Respect live schema behavior:
    • checkInDate invalid/past/empty may fallback to tomorrow
    • price is an object (use price.lowestPrice + price.currency)
    • some fields can be null or missing
  • placeType can be normalized from user language:
    • 城市/city → 城市
    • 机场/airport → 机场
    • 景点/attraction → 景点
    • 火车站/railway station → 火车站
    • 地铁站/metro → 地铁站
    • 酒店/hotel → 酒店
  1. Enrich finalists with room-level details
  • For each shortlisted option, call ai-go-hotel.getHotelDetail (prefer hotelId when available).
  • Pass dates with checkInDate / checkOutDate format YYYY-MM-DD.
  • Handle fallback and edge behavior:
    • invalid/empty dates may auto-correct
    • failures may return plain text (not structured JSON)
    • roomRatePlans can be very large; render only top rows by relevance/price
  • Extract actionable room/price data, cancellation policy, breakfast inclusion, and important constraints.
  1. Return decision-ready output
  • Always provide:
    • Recommended option (best fit)
    • Two alternatives
    • Why each matches constraints
    • Trade-offs (price vs distance vs amenities)
    • Booking handoff steps (what user should confirm next)

Output Template

Use concise bullet format:

  • 行程信息: 目的地 / 日期 / 人数 / 预算 / 关键偏好
  • 推荐酒店(首选)
    • 酒店名
    • 预估价格(每晚 & 总价)
    • 位置与交通
    • 房型亮点
    • 取消与早餐政策
    • 推荐理由
  • 备选 1 / 备选 2(同结构)
  • 决策建议: 适合人群与风险提示
  • 下一步确认: 仅列 2-4 个必要确认项

Quality Bar

  • Prefer concrete numbers over vague wording.
  • Do not invent unavailable policies/prices.
  • If data is missing or stale, say so explicitly and suggest a refresh query.
  • Keep choices constrained: no long dump lists.
  • Avoid credential exposure or config leakage.

MCP Preset Config

  • Embedded MCP preset is included at:
    • references/mcp-client-config.json
  • It targets https://mcp.aigohotel.com/mcp using streamable_http and prefilled Authorization header.

Platform Distribution

When user asks to publish/distribute this skill, follow the checklist in:

  • references/distribution.md
  • references/promo-copy.md

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…