Skillv2.0.0

ClawScan security

Star Hotel Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 2:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (hotel search) matches its instructions, but it relies on an embedded public API key and places the burden of PII filtering on the agent/platform — this trust gap and some documentation inconsistencies warrant caution.
Guidance: This skill appears to do what it says (hotel search), but it will send structured queries to an external MCP server using a public key embedded in the skill text and expects the agent to strip any PII before sending. Before installing or using it: (1) verify the external API domain and that you trust that service (the documentation shows two different domains — ask the author to clarify); (2) test only with non-sensitive queries to confirm PII is not transmitted; (3) consider requesting a private API key from the provider (or using a skill that requires you to provide your own key) so you can revoke it if needed; (4) avoid submitting names, phone numbers, emails, ID numbers, or other personal info in queries because filtering is implemented client-side and may fail. If you need higher assurance, ask the publisher for more details about their MCP endpoint and why the key is embedded.

Review Dimensions

Purpose & Capability: okThe skill is an instruction-only hotel search that calls an external MCP hotel API; the declared capability (search, details, tags) matches the tools and parameters described in the SKILL.md.
Instruction Scope: concernThe SKILL.md tells the agent to remove PII before calling the external MCP endpoint and explicitly says the agent/runtime must perform filtering. That places critical data-protection responsibility on the agent rather than enforcing it in the tool. The skill will send user search parameters to an external server (mcp.aigohotel.com) — if the agent fails to filter PII correctly, sensitive data could be transmitted. Also the doc references two different domains (mcp.agentichotel.cn for application vs mcp.aigohotel.com for the API), which is an inconsistency worth verifying.
Install Mechanism: okNo install spec and no code files (instruction-only). This minimizes local disk impact and the usual install-related risks.
Credentials: noteThe skill declares no required env vars or private credentials, which is coherent. However, it embeds a public API key directly in SKILL.md (mcp_a84000de01e04920b3690d173630f163) and an Authorization header for an external endpoint. Even if the key is described as 'public', embedding keys in skill text means any agent run will include that key when contacting the remote service — consider whether you trust that service and its rate limits/quota sharing model.
Persistence & Privilege: noteThe skill does not request always:true or other elevated persistence, and it doesn't modify other skills. However, the normal autonomous-invocation capability combined with the skill's reliance on agent-side PII filtering increases the blast radius if the agent misapplies filters.