rollinggo-hotel-cn

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed hotel-search helper that uses the RollingGo CLI and an API key, with manageable credential and package-version hygiene risks.

Install only if you are comfortable giving RollingGo a dedicated API key and sending hotel-search details to its service. Prefer skill-scoped environment configuration for RollingGo_API_KEY, avoid putting real keys directly in --api-key command examples, and consider pinning or reviewing the rollinggo package if you want tighter supply-chain control than @latest.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The document recommends passing the API key directly on the command line (`--api-key YOUR_API_KEY`), which can expose the secret through shell history, process listings, CI logs, or terminal recordings. In this skill context, the risk is limited to credential leakage rather than direct code execution, but leaked API keys could enable unauthorized use of the hotel API.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal