ClawHub

RollingGo Hotel Search

v1.0.0

Hotel search and pricing via the RollingGo CLI. Use when the user wants to search hotels by destination, filter by date/star/budget/tags/distance, inspect ho...

0· 114·0 current·0 all-time
byKaiChan@cnchenkai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the declared needs: it requires a RollingGo CLI (rollinggo) and an API key (AIGOHOTEL_API_KEY), which are exactly what a CLI-based hotel search tool would need. The bundled references and npm/uv install entries all point to the same rollinggo package, so required components align with the stated purpose.
Instruction Scope
SKILL.md instructs only on setting the API key and invoking rollinggo subcommands (search-hotels, hotel-detail, hotel-tags). There are no instructions to read unrelated files, access other credentials, or exfiltrate data to unexpected endpoints. It does recommend exporting a provided public API key into the environment, which is operational but within scope.
Install Mechanism
Install is via npm (npx/npm) or uv/uvx tool, i.e., public package registries — a standard, expected mechanism. Note: the skill's default behavior is to run the latest release on every execution (npx --package rollinggo@latest or uvx --refresh), which means remote code will be executed dynamically; this increases runtime risk compared to using a pinned/local install.
Credentials
Only one credential is required (AIGOHOTEL_API_KEY), which is appropriate. The skill includes a pre-configured public API key for testing; this is convenient but not ideal for production. No unrelated secrets or system config paths are requested.
Persistence & Privilege
always is false and the skill does not request system-wide configuration changes or persistent elevated privileges. Autonomous invocation is allowed (platform default) — combined with the dynamic 'latest release' install behavior this slightly increases attack surface, but not by itself a coherence problem.
Assessment
This skill appears to do what it says, but consider these operational security points before installing/use: (1) It defaults to fetching and running the latest rollinggo package each run via npx/uvx — for production prefer installing a pinned, reviewed version to avoid unexpected remote code execution. (2) The SKILL ships a public API key for testing; request and configure your own key for production to avoid shared quota or data-mixing. (3) If you allow autonomous agent invocation, be aware that running unpinned remote packages increases the blast radius; consider requiring user confirmation before the agent runs CLI installs or networked commands. (4) If you want extra assurance, check the rollinggo package on the npm/uv registries and the project's homepage (https://mcp.agentichotel.cn) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dccwg9axn2bpt5brf8k2rk1839be6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏨 Clawdis
Any binrollinggo, npx, node, uvx, uv
EnvAIGOHOTEL_API_KEY
Primary envAIGOHOTEL_API_KEY

Install

Install rollinggo (npm)
Bins: rollinggo
npm i -g rollinggo
Install rollinggo (uv)
Bins: rollinggo
uv tool install rollinggo

Comments