ClawHub

RollingGo-Hotel-Booking-Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed hotel-search CLI wrapper, but users should treat its API key handling and always-latest package execution with care.

Install only if you trust RollingGo and the rollinggo package source. Prefer per-skill secret injection over host-wide config, avoid pasting real API keys directly into commands, and consider pinning or reviewing a specific package version for sensitive use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reference explicitly recommends passing the API key on the command line and via host config injection without warning that command-line arguments can be exposed through shell history, process listings, logs, or shared host configuration. In an agent/CLI skill context, this is more dangerous because automated tooling may echo commands, persist transcripts, or reuse host-level config across sessions, increasing the chance of credential leakage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The reference explicitly shows passing the API key on the command line (`--api-key YOUR_API_KEY`) without warning that command-line arguments may be exposed via shell history, process listings, logs, or telemetry. In an agent or shared-host context, this increases the chance of credential disclosure beyond the immediate user session.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
If using an installed command instead of temporary execution, upgrade first:

- **npm global:** `npm install -g rollinggo@latest`
- **uv tool:** `uv tool upgrade rollinggo@latest`

## Primary Workflow
Confidence
89% confidence
Finding
tool:*

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal