ClawHub
Back to skill
v0.1.3

Daolv Hotel Booking

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:03 AM.

Analysis

The hotel-search workflow is coherent, but the skill ships a ready-to-use external service token that users should review before installing.

GuidanceReview the bundled MCP config before installing. If you use the skill, consider replacing the embedded Authorization header with your own scoped credential or a provider-approved config, and assume normal hotel-search details will be sent to the ai-go-hotel MCP service.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
references/mcp-client-config.json
"Authorization": "Bearer mcp_171e1...52b13f"

This embeds a reusable Bearer credential for the external MCP server; the supplied metadata declares no primary credential or env-var credential contract, so users cannot tell whose identity, quota, or permission scope is being used.

User impactHotel searches may run under a credential controlled by the publisher or service rather than a user-managed key, and the token could carry unknown scope or account association.
RecommendationDo not rely on the bundled token blindly; prefer a user-supplied, scoped API key in an environment variable or reviewed MCP config, and ask the publisher to declare the credential requirement and token scope.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
"Extract: destination, check-in date, nights, adults/children... budget" ... "targets `https://mcp.aigohotel.com/mcp` using `streamable_http`"

The workflow sends trip details and preferences to a remote MCP service; this is aligned with hotel search, but it establishes a third-party data boundary users should understand.

User impactYour travel dates, destination, party details, budget, and preferences may be sent to the hotel MCP provider when the skill searches.
RecommendationUse only if you are comfortable sharing those booking details with the provider; avoid including unrelated personal or financial information in hotel-search prompts.