Daolv Hotel Booking Assistant
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s hotel-search purpose is coherent, but it ships a hard-coded bearer token for an external MCP service and sends travel-query details to that provider.
Review the embedded MCP credential before installing. The hotel-search workflow itself is reasonable, but the packaged bearer token should ideally be replaced with your own declared credential, and you should avoid sending sensitive travel or personal details unless you trust the external hotel MCP provider.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users would rely on a packaged shared token whose owner, permissions, lifetime, and logging/account implications are not clear.
The skill package includes a hard-coded bearer credential for the external MCP server, while the supplied metadata says there is no primary credential or required environment variable.
"Authorization": "Bearer mcp_171e1ffa...52b13f"
Remove the embedded token, rotate it, and require each user or deployment to provide its own declared credential through a secure configuration or environment variable with documented scope.
Hotel destinations, dates, guest counts, budgets, and preferences may be transmitted to the hotel MCP provider.
The skill is designed to call an external MCP provider for hotel searches and details; this is purpose-aligned but means user travel details may leave the local agent context.
Endpoint: `https://mcp.aigohotel.com/mcp` (`streamable_http` + prefilled Authorization header)
Use the skill only with travel details you are comfortable sending to the provider, and review the provider’s privacy and data-handling terms before sharing sensitive itinerary information.