Star Hotel Search
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only hotel search skill appears coherent and benign, but it sends hotel search details to an external MCP service using a shared public API key.
This skill is reasonable for hotel search and contains no code or install-time execution. Before using it, understand that relevant search details will be sent to the external Star/Aigo hotel MCP service through a shared public API key, and avoid entering personal identifiers or unrelated sensitive information.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Hotel searches may run under a shared provider key with rate limits rather than a user-specific account.
The skill uses a built-in bearer token to access the hotel MCP service. It is disclosed as a public/shared key and is purpose-aligned, but users should know requests are not made with their own isolated credential.
"Authorization": "Bearer mcp_a84000de01e04920b3690d173630f163" ... "This Key is designed for community developers and is not a confidential credential"
Use the built-in key only for ordinary searches; if reliability or account separation matters, apply for and configure an exclusive provider key if supported.
An external hotel service may receive trip details such as destination, dates, budget, party size, and preferences.
The skill routes hotel search parameters to an external MCP endpoint. The allowed data is disclosed and scoped, but travel searches can still reveal private preferences or plans.
"url": "https://mcp.aigohotel.com/mcp" ... "Only hotel search structured parameters: Location, date, number of people, star rating, budget, tags"
Avoid including names, contact details, IDs, or unrelated private text in hotel queries, and review the provider if travel-search privacy is important.