rollinggo-searchhotel

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a normal RollingGo CLI/API helper, with the main risk being documentation that shows an API key on the command line.

Before installing, prefer setting the RollingGo API key through an environment variable or secret manager instead of passing it with `--api-key`; avoid pasting real keys into shared terminals, logs, or chat transcripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The reference explicitly demonstrates passing the API key via the `--api-key` command-line flag (`rollinggo hotel-tags --api-key YOUR_API_KEY`) without warning that command-line arguments may be exposed through shell history, process listings, logging, or telemetry. In an agent/CLI context, this increases the chance that users or automation will handle credentials insecurely, especially because the document presents the pattern as a normal usage example.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The reference explicitly documents passing the API key via the `--api-key` command-line flag without warning that command-line arguments may be exposed through shell history, process listings, logs, or shared terminal transcripts. In this skill context, users may copy-paste examples directly, so the documentation increases the likelihood of accidental secret disclosure even though it is not an active exfiltration mechanism.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal