Daolv Hotel Booking
ReviewAudited by ClawScan on May 10, 2026.
Overview
The hotel-search workflow is coherent, but the skill bundles a hardcoded MCP bearer token and sends trip details to an external hotel service.
Review the embedded MCP configuration before installing. The hotel-search behavior itself matches the skill description, but the included bearer token should be replaced with a properly declared user- or deployment-specific credential, and you should be comfortable sending trip details to the ai-go-hotel MCP service.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Hotel searches may run under an embedded credential whose owner, quota, logging, and permission scope are unclear, and the token is exposed to anyone who installs or reads the skill.
The skill package includes a reusable bearer token for the external MCP server, while the registry requirements declare no primary credential or required environment variable.
"Authorization": "Bearer mcp_171e1ffa7da343faa4ec43460c52b13f"
Remove the bundled token, rotate it, and require each user or deployment to provide its own declared credential through a secret manager or environment variable with documented scope.
Trip details such as destination, dates, traveler counts, budget, and hotel preferences may be shared with the ai-go-hotel MCP provider.
The skill is designed to call an external MCP service for hotel search and details, which is expected for the purpose but means user trip parameters leave the local agent context.
It targets `https://mcp.aigohotel.com/mcp` using `streamable_http` and prefilled Authorization header.
Use the skill only if you are comfortable sharing those trip details with the MCP provider, and document the provider’s privacy, retention, and logging practices.