File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- SKILL.md:34
Security audit
Security checks across malware telemetry and agentic risk
This is a straightforward Scavio hotel-search skill that requires a user-provided API key and does not include hidden code, persistence, or local data access.
Install only if you are comfortable sending travel search details and stay dates to Scavio and using your own SCAVIO_API_KEY. Each documented API call consumes one credit, and hotel prices should be verified with the booking vendor before purchase.
64/64 vendors flagged this skill as clean.
Detected: suspicious.exposed_secret_literal