Daolv Hotel Booking Assistant
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users would rely on a packaged shared token whose owner, permissions, lifetime, and logging/account implications are not clear.
The skill package includes a hard-coded bearer credential for the external MCP server, while the supplied metadata says there is no primary credential or required environment variable.
"Authorization": "Bearer mcp_171e1ffa...52b13f"
Remove the embedded token, rotate it, and require each user or deployment to provide its own declared credential through a secure configuration or environment variable with documented scope.
Hotel destinations, dates, guest counts, budgets, and preferences may be transmitted to the hotel MCP provider.
The skill is designed to call an external MCP provider for hotel searches and details; this is purpose-aligned but means user travel details may leave the local agent context.
Endpoint: `https://mcp.aigohotel.com/mcp` (`streamable_http` + prefilled Authorization header)
Use the skill only with travel details you are comfortable sending to the provider, and review the provider’s privacy and data-handling terms before sharing sensitive itinerary information.