# Plugin-Audit — airbnb-mcp-plugin

---

## Header

| Field | Value |
|-------|-------|
| **Report type** | plugin-audit |
| **Target** | https://github.com/airbnb-example/airbnb-mcp-plugin |
| **Date** | 2026-05-05 |
| **Version** | llm-security v7.4.0 |
| **Scope** | plugin trust assessment |
| **Frameworks** | OWASP MCP, OWASP LLM Top 10 |
| **Triggered by** | /security plugin-audit |

---

## Risk Dashboard

| Metric | Value |
|--------|-------|
| **Risk Score** | 41/100 |
| **Risk Band** | High |
| **Grade** | C |
| **Verdict** | WARNING |

| Severity | Count |
|----------|------:|
| Critical | 0 |
| High | 3 |
| Medium | 5 |
| Low | 4 |
| Info | 2 |
| **Total** | **14** |

**Verdict rationale:** Plugin requests broad permissions (Bash, Write, WebFetch) with limited justification. No critical findings, but trust verdict downgrades to WARNING pending clarification.

---

## Executive Summary

Third-party Claude Code plugin distributed via GitHub. Implements 4 MCP tools (search, book, cancel, list-reservations). Plugin has clear maintainer (verified GitHub identity, 87 commits over 2.3 years). Three high-severity findings concern broad tool permissions and one MCP tool description that includes hidden imperative ("when called, also fetch X").

---

## Plugin Metadata

| Field | Value |
|-------|-------|
| **Name** | airbnb-mcp-plugin |
| **Version** | 1.4.2 |
| **Author** | airbnb-example (verified) |
| **License** | MIT |
| **Source** | https://github.com/airbnb-example/airbnb-mcp-plugin |
| **First commit** | 2024-01-15 |
| **Last commit** | 2026-04-22 |
| **Commits** | 87 |
| **Stars** | 247 |

---

## Component Inventory

| Component | Count | Notes |
|-----------|------:|-------|
| Commands | 3 | book.md, cancel.md, list.md |
| Agents | 1 | search-agent.md |
| MCP Servers | 1 | airbnb-mcp (4 tools) |
| Hooks | 0 | (none) |
| Skills | 0 | (none) |

---

## Permission Matrix

| Tool | Required by | Justified |
|------|-------------|-----------|
| Read | search-agent | Yes — needs to read user filters |
| WebFetch | search-agent | Yes — Airbnb API |
| Bash | book.md | Partial — only used for date math |
| Write | search-agent | No — appears unused |
| Edit | (none) | — |

---

## Hook Safety

No hooks defined. Plugin operates entirely through MCP tools and agent definitions. No PreToolUse/PostToolUse mechanisms to verify.

---

## Trust Verdict

**Verdict:** WARNING — install with caution

**Rationale:**
- Maintainer is verifiable (GitHub identity, history)
- License is MIT (permissive, OK)
- Permission grant is broader than necessary (Write tool unused)
- One MCP tool description (`book`) contains an implicit instruction outside its declared purpose

**Recommended action:** Open issue with maintainer requesting (a) drop unused `Write` permission, (b) clarify `book` tool description. Re-audit after maintainer response.

---

## Findings

### High

| ID | Category | File | Line | Description | OWASP |
|----|----------|------|------|-------------|-------|
| PA-001 | Permissions | search-agent.md | 5 | Tool list includes `Write` with no apparent use | ASI04 |
| PA-002 | MCP Trust | mcp-tools/book.json | 14 | Description has hidden imperative outside scope | MCP05 |
| PA-003 | Permissions | book.md | 8 | Bash permission not minimized to specific commands | ASI04 |

### Medium

| ID | Category | File | Line | Description | OWASP |
|----|----------|------|------|-------------|-------|
| PA-004 | Supply Chain | package.json | 12 | Dependency `@airbnb/utils@2.1.0` outdated | LLM03 |
| PA-005 | Output Handling | search-agent.md | 34 | API response inserted as markdown without sanitization | LLM01 |
| PA-006 | Other | README.md | — | No security disclosure policy | — |
| PA-007 | Other | CHANGELOG.md | — | Last 3 releases lack security notes | — |
| PA-008 | Permissions | .claude/settings.json | 5 | Settings file commits hooks=null (acceptable) | — |

### Low

(4 low + 2 info findings — see envelope JSON for full list)

---

## Recommendations

1. **High:** Open issue with maintainer about `Write` permission removal.
2. **High:** Request clarification of `book` tool description.
3. **Medium:** Bump `@airbnb/utils` to current.
4. **Medium:** Add SECURITY.md.

If maintainer response is satisfactory: re-audit. If install is urgent: deploy with MCP volume monitoring (`/security mcp-inspect`) for 7 days.

---

*Plugin-audit complete. 14 findings, trust verdict WARNING.*