ClawHub

aigohotel-mcp

v1.0.0

使用 AigoHotel MCP 工具完成酒店检索、结构化筛选和实时房型价格确认。用户提出酒店推荐、预算或星级限制、候选对比、房型价格与退改规则确认时触发。本技能优先调用 MCP 工具并返回结构化结论,同时根据客户端环境选择 cloud HTTP、uvx stdio 或本地调试模式。

0· 343·1 current·1 all-time
by@dreamtzlong
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (hotel search via AigoHotel MCP) align with the endpoints and tool names in the docs. However the skill metadata declares no required env vars/credentials while the instructions and references repeatedly require an API key (AIGOHOTEL_API_KEY/AIGOHOTEL_SECRET_KEY) or a Bearer token — this mismatch is unexpected and incoherent.
!
Instruction Scope
SKILL.md and references explicitly instruct calling external HTTP endpoint(s) and running local stdio/HTTP MCP processes. They also tell users to git clone a GitHub repo and run server.py (execute third-party code). The instructions include a default shared API key and recommend injecting it into env vars. There are no instructions to read unrelated system files, but recommending running arbitrary repo code and embedding a public key are scope risks.
!
Install Mechanism
There is no formal install spec in registry metadata, yet the docs tell operators to 'git clone', 'pip install -r requirements.txt' and 'python server.py', or to run published uvx/npx packages. Downloading and executing repository code is higher-risk behavior; the registry should have declared install steps or provenance for packages used.
!
Credentials
Although the skill metadata lists no required env vars or primary credential, the reference docs require/encourage putting API keys into env vars and even give a concrete default key (mcp_03f4aa5623d344308273e55aed135257). This is inconsistent and potentially dangerous: the skill will attempt to use networked credentials but doesn't declare them, and a hard-coded public key may be stale, shared, or abused.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistence, and it does not declare config path or system-wide modifications. Autonomous invocation is allowed (default) but not combined here with other high privileges.
What to consider before installing
This skill appears to implement hotel search via a remote/local MCP service, but there are notable inconsistencies and operational risks you should consider before installing: - Metadata mismatch: The registry lists no required environment variables or credentials, yet the documentation requires an API key (and names env vars like AIGOHOTEL_API_KEY). Confirm with the skill author which secrets are truly required and why they were omitted from metadata. - Hard-coded API key: The docs include a default/shared API key. Do not rely on or expose this key — it may be public, revoked, rate-limited, or abused. Prefer using your own API key provisioned by the service. - Running external code: The references tell you to git clone a repository and run server.py or run packages via npx/uvx. Treat that like running untrusted code: inspect the repository source, run it in an isolated environment (container/VM) and review dependencies before executing. - Endpoint domains: The docs reference multiple domains (mcp.aigohotel.com and mcp.agentichotel.cn). Verify the correct official endpoints with the provider to avoid calling a typo-squatted or malicious host. Recommended steps before use: 1) Ask the publisher to update registry metadata to declare required env vars and primary credential. 2) Obtain an official API key from the provider and never embed it in public docs. 3) Inspect the GitHub repository (or published packages) for malicious code before running locally; run in an isolated environment. 4) Prefer the documented cloud HTTP mode with your own credentials rather than blindly using the provided shared key or running unverified local servers. 5) If you need help vetting the upstream repo, have a developer/security person review it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ekapmt7fw00bt2c14h8660x82ay9d
343downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@dreamtzlong
latest
Download

Aigohotel MCP

关键原则

  • skill 中描述流程、配置模板和参数映射。
  • 运行依赖已有服务或已发布包:
  • HTTP(推荐直接使用):https://mcp.aigohotel.com/mcp
  • stdio(备选本地运行):uvx aigohotel-mcp
  • stdio(备选本地运行):npx -y aigohotel-mcp
  • MCP配置/源码调试:参考 references/mcp-config.md

执行流程

  1. 提取约束:地点、日期、人数、预算、星级、设施偏好。
  2. 映射参数:
  • 地点映射到 place + placeType
  • 入住映射到 checkInParam / dateParam / occupancyParam
  • 偏好与预算映射到 hotelTags
  1. 标签不确定时先调用 getHotelSearchTags
  2. searchHotels 做候选召回与首轮筛选,originQuery 保留用户原句。
  3. 需要确认价格和规则时,用 getHotelDetail(优先 hotelId)。
  4. 输出结果时写清假设条件与筛选依据。

执行规则

  • 不臆造可售状态、税费、退改规则,只能引用工具返回。
  • 未提供日期时,显式声明日期假设后再查询。
  • 涉及结算币种时,显式传 localeParam.countryCodelocaleParam.currency
  • 配置示例可直接使用默认 Key,见 references/mcp-config.md

参考文件

  • 参数定义与调用顺序:references/tools.md
  • 客户端配置与本地运行:references/mcp-config.md

Comments

Loading comments...