Price Win
ReviewAudited by ClawScan on May 17, 2026.
Overview
The skill mostly matches its hotel-search purpose, but it can favor OpenTravel direct listings over cheaper OTA options and sends search details to a default HTTP IP despite claiming HTTPS.
Before installing, be aware that this skill downloads Chromium, scrapes OTA sites from your machine using anti-detection automation, and sends city/date/adult search details to a default OpenTravel endpoint. Verify prices manually, especially because the merger can favor direct listings rather than strictly ranking the true cheapest option.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user looking for the lowest hotel price could be steered toward a direct booking that is not actually the cheapest option.
The implementation can prefer OpenTravel direct listings even when an OTA is slightly cheaper and then groups OpenTravel-winning results ahead of OTA-only results, conflicting with SKILL.md's cheapest-first and no-direct-preference instructions.
Priority: OpenTravel direct wins if its price ≤ cheapest OTA × 1.05 ... This is the "show value of listing on OpenTravel" rule ... Final sort: OpenTravel-winning first
Change the merger to compute the true lowest source, sort all deals by the actual cheapest price, and clearly disclose any intentional direct-booking promotion.
The user's city, dates, and adult count may be sent over an unencrypted default connection, contrary to the privacy/security expectation set by the documentation.
The code sends the direct-listings request to a non-HTTPS raw IP address by default, while SKILL.md describes the request as a 'single HTTPS GET' to OpenTravel.
const DEFAULT_BASE_URL = 'http://194.233.84.38:3000';
Use an HTTPS default host with a clear domain, update the documentation to match the real endpoint, and provide a documented way to skip the direct-listings API call.
Hotel sites may block, throttle, or challenge the user's IP if the crawl looks automated.
The skill uses anti-detection browser automation to crawl OTA sites. This is central to the stated purpose and is disclosed, but it can still violate site terms or trigger throttling.
Why Patchright (vs Playwright): patches the CDP-leak fingerprints that Cloudflare/PerimeterX/DataDome use to detect headless browsers.
Run only when the user explicitly wants OTA comparison, avoid high-volume use, and consider official APIs or manual confirmation where available.
Installing the skill can download and store a large browser binary and third-party packages on the user's machine.
Installation fetches npm dependencies and downloads a Chromium browser bundle. The lockfile is present and this is expected for the crawler, but it is still a notable remote install surface.
npm ci --omit=dev --no-audit --no-fund ... npx --yes patchright install chromium
Install only from a trusted source, keep the lockfile intact, and be aware of the Chromium download before approving setup.