RollingGo-Hotel-Booking-Skill

PassAudited by ClawScan on May 12, 2026.

Overview

This appears to be a straightforward hotel-search CLI wrapper, but it runs the latest RollingGo package and needs a RollingGo API key.

This skill looks coherent for hotel searching. Before installing, make sure you trust RollingGo and the rollinggo package, consider pinning or reviewing the package instead of always using latest, store the API key per-skill rather than host-wide, and expect hotel search details to be sent to RollingGo.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The code that runs for the CLI may change between uses, so the reviewed skill text may not fully represent future package behavior.

Why it was flagged

The skill intentionally resolves and runs the latest external RollingGo package instead of a pinned reviewed version. This is disclosed and aligned with the CLI purpose, but it creates normal supply-chain exposure.

Skill content

Default policy for this skill: use the newest release on every run. ... `npx --yes --package rollinggo@latest rollinggo ...`

Recommendation

Install only if you trust the RollingGo package source. Prefer a pinned version or a reviewed installation path for sensitive workflows.

Low

#ASI03: Identity and Privilege Abuse

What this means

The RollingGo CLI will be able to use the provided API key, and host-wide storage could expose the key more broadly than necessary.

Why it was flagged

The skill requires a provider API key and documents persistent host configuration options. This is expected for the service, but it is still credential handling.

Skill content

The skill needs `RollingGo_API_KEY` visible to its process. ... Per-skill (recommended) ... Host-wide ... `{ "env": { "RollingGo_API_KEY": "YOUR_KEY" } }`

Recommendation

Use per-skill credential injection where possible, avoid host-wide secrets unless needed, and revoke or rotate the key if you stop using the skill.

Info

#ASI07: Insecure Inter-Agent Communication

What this means

Destinations, dates, occupancy, budget, and other search preferences may be sent to RollingGo to retrieve results.

Why it was flagged

The documented workflow passes user-provided travel search details to a networked CLI/API. This is disclosed and necessary for hotel search, but it is a privacy-relevant data flow.

Skill content

`rollinggo search-hotels --origin-query "<user's natural language request>" --place "<destination>" ...` and `Exit 0 success · 1 HTTP/network failure`

Recommendation

Do not submit travel details you are uncomfortable sharing with the RollingGo service, and review the provider's privacy terms if needed.