ClawHub

rollinggo-searchhotel

v1.0.2

Hotel search and pricing via the RollingGo CLI. Use when the user wants to search hotels by destination, filter by date/star/budget/tags/distance, inspect ho...

0· 84·0 current·0 all-time
by@dreamtzlong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (rollinggo/npx/node/uvx/uv) and the single required env var (RollingGo_API_KEY) are consistent with a CLI wrapper that can be run via npm/uvx or an installed binary. The install entries (node/uv packages named rollinggo) align with the described functionality.
Instruction Scope
SKILL.md confines runtime actions to invoking the rollinggo CLI and parsing its JSON output, and it documents flags and workflows. It does not instruct reading unrelated files or env vars. However, the default policy is to run the newest release on every run (npx --package rollinggo@latest or uvx --refresh), which means the agent will fetch and execute remote package code at runtime — this increases supply‑chain risk and runtime variability.
Install Mechanism
Install uses public package managers (npm/uv) and references package name 'rollinggo' — these are traceable registry installs rather than arbitrary URL downloads, which is reasonable for a CLI. The use of npx/uvx to run latest-by-default is convenient but results in transient execution of remote code each run; consider pinning versions for stability and security.
Credentials
Only one environment variable/credential is required: RollingGo_API_KEY (declared as primaryEnv). That is proportionate for a third‑party API CLI that needs an API key. No unrelated secrets or config paths are requested.
Persistence & Privilege
Skill does not request 'always' presence, does not declare system config paths, and does not modify other skills. Default autonomous invocation is allowed (platform default) but not combined with any additional privileged settings.
Assessment
This skill appears to do what it says: run the RollingGo CLI to search and inspect hotels and it only needs your RollingGo_API_KEY. Before installing, consider: (1) the SKILL defaults to executing the latest package via npx/uvx on every run — that means code from the npm/uv registry will be fetched and run at runtime; if you need stability or want to reduce supply‑chain risk, prefer installing a pinned global/local version instead of using --package@latest or --refresh; (2) verify you trust the RollingGo provider and the npm/uv package named 'rollinggo' (check the package homepage/repo and npm/uv package pages); (3) confirm what the RollingGo_API_KEY grants (scope, rate limits, billing) and avoid reusing high‑privilege keys; (4) this skill does not request other system files or unrelated credentials. If you want higher assurance, inspect the rollinggo package source on its registry/repository before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cg1rq1q4pf67v34wvb7psrn83gtd8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏨 Clawdis
Any binrollinggo, npx, node, uvx, uv
EnvRollingGo_API_KEY
Primary envRollingGo_API_KEY

Install

Install rollinggo (npm)
Bins: rollinggo
npm i -g rollinggo
Install rollinggo (uv)
Bins: rollinggo
uv tool install rollinggo

Comments