全能订酒店国内版
PassAudited by ClawScan on May 12, 2026.
Overview
This hotel-search skill is coherent and purpose-aligned, but it depends on an external RollingGo CLI package and API key that users should manage carefully.
Before installing, make sure you trust the RollingGo CLI package and service, because the skill runs that package and uses your RollingGo_API_KEY to query hotel data. For safer use, keep the key scoped to this skill and consider pinning a package version instead of always running rollinggo@latest.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the user's RollingGo API key when querying the hotel service.
The skill requires an API key for RollingGo, which is expected for the integration but is still a credential the user must protect.
解析顺序:`--api-key` 参数 → `RollingGo_API_KEY` 环境变量。
Use a dedicated RollingGo key if possible, avoid sharing it broadly, and prefer skill-scoped environment injection over host-wide configuration.
Future package updates from the RollingGo package source could change what code runs locally.
The skill intentionally runs the latest published RollingGo package rather than a pinned version, so behavior can change when the upstream package changes.
`npx --yes --package rollinggo@latest rollinggo ...`
If you need reproducibility, pin a known-good RollingGo version or review the package source before using latest-version execution.
A host-wide API-key setting may make the same key available beyond this specific skill depending on the host configuration.
The reference explains persistent credential injection, including skill-scoped and host-level options. This is useful setup guidance but affects credential exposure boundaries.
推荐优先使用按 skill 注入。 ... `"env": { "RollingGo_API_KEY": "YOUR_KEY" }`Prefer the documented per-skill injection method and avoid putting the key in broader host or shell configuration unless necessary.