Hotel Pricer
v1.1.1Search hotels by city, dates, and guests using Amadeus API, returning availability and pricing in JSON format via a Go CLI tool.
⭐ 0· 634·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The code implements a Go CLI that authenticates to the Amadeus API and performs hotel-offer searches, matching the name and description. No unrelated services, credentials, or binaries are requested by the code. One metadata mismatch: SKILL.md lists 'go' as a prerequisite for installation, while the registry's required-binaries list is empty.
Instruction Scope
SKILL.md instructs building the binary and using 'hotel-pricer config set' to store API key/secret, which is exactly what the code expects. However the README/SKILL.md claim that credentials are 'securely managed' is misleading: the program stores API key/secret and cached access token in a plain YAML config file under the user's home (~/.config/hotel-pricer/config.yaml) via viper. The SKILL.md does not mention that path or that secrets are stored unencrypted on disk.
Install Mechanism
There is no automated install spec (manual 'go build' and move to PATH is required). This is low risk but means the user must build and install manually; package.json exists but is informational only. No remote downloads or archive extraction are performed by the skill itself.
Credentials
The skill does not request environment variables or unrelated credentials. It uses a local config file to hold the Amadeus API Key/Secret and caches tokens — this is proportional to its stated purpose.
Persistence & Privilege
The skill does not request persistent platform privileges (always:false). It writes only to the user's config directory (~/.config/hotel-pricer) and does not modify other skills or system-wide settings. No elevated privileges are required except optional 'sudo mv' to place the binary in /usr/local/bin during installation, which is a standard install step.
Assessment
This skill appears to do what it says (a Go CLI that calls the Amadeus API), but review and accept these trade-offs before installing:
- Credentials storage: The tool stores your Amadeus API Key, Secret, and cached token in a YAML config file under $HOME/.config/hotel-pricer/config.yaml (written by viper). Those values are stored unencrypted, so restrict file permissions and consider using an alternative secret storage (OS keyring or environment variables) if you need stronger protection.
- SKILL.md claims 'securely manages' credentials — that wording is stronger than the implementation; treat the stored secrets as plaintext on disk.
- Installation: You must build locally with 'go build' (SKILL.md requirement). The registry metadata did not list 'go' as a required binary, so ensure you have Go installed. Moving the built binary to /usr/local/bin requires sudo.
- API endpoint: The code's API base is set to the Amadeus test host (https://test.api.amadeus.com). Confirm whether you intend to use the test environment or need to change the base URL to production before running.
- Token caching: Access tokens are written back to the same config file. If multiple users share the account or machine, ensure appropriate file permissions.
If you are comfortable with these points, the skill is internally consistent. If you need secrets encrypted at rest or automated installation, request or inspect changes to support those requirements.Like a lobster shell, security has layers — review code before you run it.
latestvk97dtkyy0xbkbtw8adk7xb04hs81bmk4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.