find-hotel

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent hotel-search helper, but users should handle the API key carefully and understand that hotel searches go to an external service.

Install only if you trust RollingGo and the AIGOHOTEL service. Prefer setting AIGOHOTEL_API_KEY in your environment or secret manager instead of passing --api-key on the command line, and avoid sending sensitive travel details unless you are comfortable sharing them with the external hotel-search provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation explicitly demonstrates passing the API key as a command-line argument (`--api-key YOUR_API_KEY`). Command-line secrets can be exposed via shell history, process listings, CI logs, terminal recordings, and telemetry, making credential leakage more likely. In this skill context, the risk is real because the file is operational guidance users may copy verbatim when invoking a networked hotel-search CLI.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation explicitly shows passing `YOUR_API_KEY` on the command line, which can expose secrets via shell history, terminal logging, CI logs, and process inspection by other local users. In this skill context, the risk is real because the file is a usage reference intended to be copied verbatim by users, increasing the likelihood of insecure secret handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal