rollinggo-hotel
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent hotel-search CLI skill, but it relies on a RollingGo API key and executes the latest external RollingGo package when used.
Before installing, confirm you trust RollingGo and are comfortable providing a RollingGo_API_KEY. For better control, use per-skill secret injection and consider pinning or pre-installing a reviewed RollingGo CLI version instead of always running the latest package.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future package update could change behavior between runs, including how the CLI handles commands and the API key.
The skill intentionally executes or refreshes the latest external RollingGo package rather than a pinned reviewed version.
Default policy for this skill: use the newest release on every run. ... `npx --yes --package rollinggo@latest rollinggo ...` ... `uvx --refresh --from rollinggo@latest rollinggo ...`
Prefer a trusted, pinned version where possible, or review the RollingGo package provenance before using latest-by-default execution.
Anyone or any process with access to this environment variable or command-line key could potentially use the RollingGo account/API allocation.
The CLI needs a service credential to access RollingGo, which is expected for the stated hotel search purpose but still sensitive.
Resolution order: `--api-key` flag → `RollingGo_API_KEY` env var.
Store the key only in a per-skill or otherwise scoped secret mechanism, avoid sharing it in prompts or logs, and avoid command-line flags if your shell history or process list is exposed.
Travel plans and search preferences may be shared with the RollingGo service when the skill is used.
The workflow uses an external CLI-backed service to process destinations, dates, occupancy, budgets, and hotel IDs.
Run `search-hotels` → parse JSON → extract `hotelId` ... `hotel-detail --hotel-id <id>` for room plans and pricing
Use the skill only for travel searches you are comfortable sending to RollingGo, and review the service’s privacy terms if the itinerary is sensitive.