rollinggo-hotel
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future package update could change behavior between runs, including how the CLI handles commands and the API key.
The skill intentionally executes or refreshes the latest external RollingGo package rather than a pinned reviewed version.
Default policy for this skill: use the newest release on every run. ... `npx --yes --package rollinggo@latest rollinggo ...` ... `uvx --refresh --from rollinggo@latest rollinggo ...`
Prefer a trusted, pinned version where possible, or review the RollingGo package provenance before using latest-by-default execution.
Anyone or any process with access to this environment variable or command-line key could potentially use the RollingGo account/API allocation.
The CLI needs a service credential to access RollingGo, which is expected for the stated hotel search purpose but still sensitive.
Resolution order: `--api-key` flag → `RollingGo_API_KEY` env var.
Store the key only in a per-skill or otherwise scoped secret mechanism, avoid sharing it in prompts or logs, and avoid command-line flags if your shell history or process list is exposed.
Travel plans and search preferences may be shared with the RollingGo service when the skill is used.
The workflow uses an external CLI-backed service to process destinations, dates, occupancy, budgets, and hotel IDs.
Run `search-hotels` → parse JSON → extract `hotelId` ... `hotel-detail --hotel-id <id>` for room plans and pricing
Use the skill only for travel searches you are comfortable sending to RollingGo, and review the service’s privacy terms if the itinerary is sensitive.