ClawHub
Back to skill

Security audit

hotel-recommendation

Security checks across malware telemetry and agentic risk

Overview

This is a coherent hotel-search helper that uses a disclosed RollingGo CLI and API key, with some credential-handling cautions.

Install only if you trust the RollingGo package and hotel API provider. Prefer AIGOHOTEL_API_KEY over passing keys with --api-key, avoid sharing logs or screenshots that contain the key, and keep searches user-directed when sending dates, locations, budgets, or occupancy details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly recommends passing the API key via the `--api-key` command-line flag, but does not warn that command-line arguments can be exposed through shell history, terminal logs, process listings, CI logs, or telemetry. In an agent skill context, this is more dangerous because users or automation may copy-paste these examples directly, causing long-lived credentials to be inadvertently disclosed to other local users or logging systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly demonstrates passing the API key as a command-line argument, which can expose the secret through shell history, terminal logging, process listings, CI logs, or shared session transcripts. In this skill context, users are likely to copy-paste examples directly, so insecure secret-handling guidance materially increases the chance of credential leakage.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.