aigo hotel search
v1.0.9智能酒店搜索,支持地点、日期、星级、预算筛选
⭐ 0· 511·1 current·1 all-time
byqkzy-oss@l18784175468-oss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (hotel search with filters) matches the declared tools (searchHotels, getHotelDetail, getHotelSearchTags) and there are no unrelated environment variables, binaries, or install steps requested. The embedded public MCP key and MCP URL are coherent with the described MCP-based API usage.
Instruction Scope
SKILL.md is instruction-only and confines transmitted data to structured search parameters. However, it places responsibility on the agent runtime to remove PII from originQuery and to perform filtering; if the agent implementation fails to follow that, user PII could be sent. The instructions do not request reading local files or unrelated system data.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing will be written to disk or fetched during installation. This is the lowest install risk profile.
Credentials
The skill requests no user credentials or env vars. It embeds a bearer token (mcp_7d31559a...) in the SKILL.md and shows it in the MCP config; the skill claims this token is a public community API key (non-secret) which explains why no secret is requested. Verify the token truly is public and rate-limited as claimed before trusting it in production.
Persistence & Privilege
always is false and the skill is user-invocable only. The skill does not request persistent platform-level privileges, nor does it attempt to modify other skills or system-wide settings.
Assessment
This skill appears to do what it says (hotel search) and doesn't ask you to provide secrets or install code, but you should: 1) Confirm the MCP endpoint (https://mcp.aigohotel.com) and the embedded key are legitimate and truly 'public' before relying on them; 2) Ensure your agent/platform actually implements the required PII-stripping (test with inputs containing names/phones to see if they are removed); 3) Avoid sending real personal data in queries (names, phones, emails, IDs); 4) If you need accountability or higher quotas, consider using your own API key rather than the embedded public key; and 5) Review any privacy policy or terms for the MCP service to understand data retention and processing.Like a lobster shell, security has layers — review code before you run it.
latestvk970cztp3xcgvvg1kc729ke61x81t4sz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.