search-hotel

SUSPICIOUS: the skill’s purpose is coherent, but it relies on an unpinned, immediately executed third-party CLI from a not-verifiably official npm scope, with undocumented backend endpoints. No clear credential harvesting is shown, yet install trust and opaque data flow make the skill medium-high risk.