Skillv1.0.0

ClawScan security

aigohotel-mcp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 8:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documented behavior (calling a remote/local MCP service) matches its stated purpose, but the instructions embed undeclared credentials, a hard-coded shared API key, and advise downloading/running external code without an install spec — these inconsistencies and risks warrant caution.
Guidance: This skill appears to implement hotel search via a remote/local MCP service, but there are notable inconsistencies and operational risks you should consider before installing: - Metadata mismatch: The registry lists no required environment variables or credentials, yet the documentation requires an API key (and names env vars like AIGOHOTEL_API_KEY). Confirm with the skill author which secrets are truly required and why they were omitted from metadata. - Hard-coded API key: The docs include a default/shared API key. Do not rely on or expose this key — it may be public, revoked, rate-limited, or abused. Prefer using your own API key provisioned by the service. - Running external code: The references tell you to git clone a repository and run server.py or run packages via npx/uvx. Treat that like running untrusted code: inspect the repository source, run it in an isolated environment (container/VM) and review dependencies before executing. - Endpoint domains: The docs reference multiple domains (mcp.aigohotel.com and mcp.agentichotel.cn). Verify the correct official endpoints with the provider to avoid calling a typo-squatted or malicious host. Recommended steps before use: 1) Ask the publisher to update registry metadata to declare required env vars and primary credential. 2) Obtain an official API key from the provider and never embed it in public docs. 3) Inspect the GitHub repository (or published packages) for malicious code before running locally; run in an isolated environment. 4) Prefer the documented cloud HTTP mode with your own credentials rather than blindly using the provided shared key or running unverified local servers. 5) If you need help vetting the upstream repo, have a developer/security person review it.

Review Dimensions

Purpose & Capability: concernName/description (hotel search via AigoHotel MCP) align with the endpoints and tool names in the docs. However the skill metadata declares no required env vars/credentials while the instructions and references repeatedly require an API key (AIGOHOTEL_API_KEY/AIGOHOTEL_SECRET_KEY) or a Bearer token — this mismatch is unexpected and incoherent.
Instruction Scope: concernSKILL.md and references explicitly instruct calling external HTTP endpoint(s) and running local stdio/HTTP MCP processes. They also tell users to git clone a GitHub repo and run server.py (execute third-party code). The instructions include a default shared API key and recommend injecting it into env vars. There are no instructions to read unrelated system files, but recommending running arbitrary repo code and embedding a public key are scope risks.
Install Mechanism: concernThere is no formal install spec in registry metadata, yet the docs tell operators to 'git clone', 'pip install -r requirements.txt' and 'python server.py', or to run published uvx/npx packages. Downloading and executing repository code is higher-risk behavior; the registry should have declared install steps or provenance for packages used.
Credentials: concernAlthough the skill metadata lists no required env vars or primary credential, the reference docs require/encourage putting API keys into env vars and even give a concrete default key (mcp_03f4aa5623d344308273e55aed135257). This is inconsistent and potentially dangerous: the skill will attempt to use networked credentials but doesn't declare them, and a hard-coded public key may be stale, shared, or abused.
Persistence & Privilege: okThe skill does not request 'always: true' or other elevated persistence, and it does not declare config path or system-wide modifications. Autonomous invocation is allowed (default) but not combined here with other high privileges.