Daolv Hotel Search
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Hotel searches may run under an embedded shared credential that the user cannot manage or revoke, and activity may be attributed to that token rather than a user-scoped account.
The skill ships a prefilled bearer credential for the remote MCP server. Registry metadata declares no primary credential or env var, so the credential owner, scope, rotation, and intended sharing model are unclear.
"Authorization": "Bearer mcp_171e1ffa..."
Remove the embedded token, require a user-supplied scoped API key through a declared env var or config path, and document the token scope and rotation process.
A third-party hotel service can receive trip details and preferences entered during the search.
The normal workflow sends user travel-search details to an external MCP endpoint. This is expected for the stated hotel-search purpose, but it is still a privacy-relevant data flow.
Extract destination, check-in date, nights, guests, budget... Call `ai-go-hotel.searchHotels`... Endpoint: `https://mcp.aigohotel.com/mcp`
Use the skill only for hotel-search details you are comfortable sharing with the MCP provider, and avoid adding unnecessary personal or confidential information.
Users could overestimate the skill's booking capabilities or assume it supports room-level confirmation when the runtime instructions are narrower.
The promotional copy describes a broader booking workflow, while SKILL.md describes a search/shortlist skill and says it is not for full booking-room confirmation. This appears to be inconsistent documentation rather than runtime malicious behavior.
`daolv-hotel-booking`... 自动完成“需求澄清 → 酒店筛选 → 房型比价 → 决策建议 → 下单前确认”
Align the promo and distribution documents with the actual search-only scope, or clearly document any separate booking/detail workflow if it is intended.