Stayfinder
PassAudited by ClawScan on May 13, 2026.
Overview
Stayfinder appears to match its hotel-search purpose, but it stores a StayFinder token/email and sends your trip search details to StayFinder, so use it only if you trust that service.
Before installing, make sure you are comfortable enabling executable OpenClaw tools that contact StayFinder, storing a local StayFinder token, and sharing trip search details with that service. The provided artifacts do not show scraping, browser automation, destructive actions, or hidden data collection, but the redacted static token warning is worth confirming in the unredacted package if you want extra assurance.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your lodging destination, dates, party size, filters, and optional trip intent may be sent to StayFinder.
The skill sends user-provided travel details to an external provider API, which is necessary for live lodging search and is clearly disclosed.
StayFinder receives the search parameters needed to find lodging — destination, dates, party size, filters, and (optionally) a one-sentence description of what kind of trip you're planning.
Use the plugin only if you are comfortable sharing those travel search details with StayFinder; avoid adding unnecessary sensitive personal details to lodging queries.
Anyone who can read that credential file could potentially use your StayFinder access.
The plugin stores a service token locally for future authenticated searches and re-authentication. This is disclosed and scoped, but it is still credential material.
The API token is written to `~/.openclaw/credentials/stayfinder.json` (mode 0600, readable only by you) and is never shown to the user or the agent.
Keep your OpenClaw credential directory private, be cautious with backups or shared machines, and remove the StayFinder credential file if you want to reset the plugin's access.
You may receive a StayFinder verification email during a lodging-search session without retyping your email.
The agent may call the signup flow again using the cached email when access expires. This is disclosed and purpose-aligned, but it is an automatic account-related action.
If you go about a week without searching, the agent sends you a fresh code automatically — you don't have to re-enter your email.
Only paste verification codes when you expect the StayFinder setup or re-authentication flow, and ignore unexpected codes outside that context.
If the unredacted file actually contains a literal production token, that would be a credential hygiene issue; the provided evidence does not prove that.
The static scan flagged a possible hardcoded token in a runtime file, but the visible code and documentation indicate expected use of a stored user token. The redacted evidence is not enough to confirm a real secret exposure.
suspicious.exposed_secret_literal ... Evidence: apiToken: [REDACTED],
Publisher should clarify or suppress the apparent false positive, or remove any real literal token. Cautious users can inspect the unredacted package before installing.