Back to skill
Skillv1.0.0
ClawScan security
rollinggo-searchflight-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 3:06 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only flight-search integration that only directs the agent to call a single remote MCP endpoint and does not request unrelated credentials, installs, or local access — its requirements and instructions are internally consistent with the described purpose.
- Guidance
- This skill is instruction-only and appears to do exactly what it says: call RollingGo's flight MCP to search and present flight options. Before installing, consider: (1) it will make network requests to https://mcp.rollinggo.cn (verify you trust RollingGo and their privacy/terms), (2) do not provide sensitive credentials unless you intend to use a private/business key (the RollingGo_API_KEY is optional), and (3) the skill explicitly does not perform booking/payment actions — if the user asks for booking, handle that separately. If you need stronger isolation, only enable the skill for specific conversations or restrict network access to the MCP endpoint.
Review Dimensions
- Purpose & Capability
- okName/description map to the behavior in SKILL.md: resolving airports and calling a RollingGo flight MCP to search and compare flights. The only external endpoint is the listed MCP server and the provided homepage; no unrelated services or credentials are required.
- Instruction Scope
- noteInstructions stay within flight-search scope (resolve airport names, run searchFlights, present results). The skill asks the agent to load the included reference file for the session and to use an optional --api-key flag or RollingGo_API_KEY env var if provided; this env var is optional and not declared as required. No instructions ask the agent to read system files, other env vars, or to transmit data to endpoints unrelated to RollingGo.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This is the lowest-risk install surface (nothing is written to disk or executed locally by the skill).
- Credentials
- okThe skill does not require any credentials by default. It documents an optional RollingGo_API_KEY (and accepts a --api-key flag) which is proportional to a remote API integration. There are no other env vars, keys, or config paths requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/privileged presence or modify other skills. Autonomous invocation is allowed (platform default) but the skill's scope is limited to calls to the stated MCP endpoint.