ClawHub

Hotel Pricer

PassAudited by ClawScan on May 1, 2026.

Overview

The skill appears to do what it says—query Amadeus for hotel prices—but it requires local installation and stores Amadeus credentials/tokens on disk.

This looks purpose-aligned, but before installing you should verify the source, be comfortable running the local build/install commands, and use a dedicated Amadeus credential whose local config file you can protect.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI05: Unexpected Code Execution
What this means

After installation, the binary can be run by the user or agent from PATH like any other local command.

Why it was flagged

The install instructions require compiling local Go code and placing the resulting binary into a system PATH location. This is expected for a Go CLI, but it is still a privileged local install step.

Skill content
# From the hotel-pricer source directory
go build
sudo mv hotel-pricer /usr/local/bin/
Recommendation

Install only from a source you trust, review the included code before using sudo, and consider installing to a user-local bin directory instead of a system directory.

Low
#ASI03: Identity and Privilege Abuse
What this means

Anyone who can read the config file may be able to use the Amadeus API credential or consume the associated account quota.

Why it was flagged

The CLI saves the Amadeus API secret to a local YAML config file. This is purpose-aligned, but it is sensitive credential material and is not declared in the registry credential metadata.

Skill content
configFilePath := filepath.Join(configPath, "config.yaml")
...
viper.Set("amadeus.api_secret", apiSecret)
...
if err := viper.WriteConfigAs(configFilePath); err != nil {
Recommendation

Use a dedicated, limited Amadeus API key, keep the config file private, and revoke or rotate the key if the machine or config file is exposed.

Low
#ASI03: Identity and Privilege Abuse
What this means

If the local config is exposed, the cached access token could be usable until it expires.

Why it was flagged

The tool caches the Amadeus OAuth access token and expiry in the local config. Token caching is expected for API use, but it persists temporary auth material on disk.

Skill content
viper.Set("amadeus.auth.token", tokenResponse.AccessToken)
viper.Set("amadeus.auth.expiry", newExpiry.Format(time.RFC3339))

if err := viper.WriteConfig(); err != nil {
Recommendation

Protect the config directory and clear or rotate credentials if the device is shared or compromised.