See Man-in-the-middle attack.

You said it is vulnerable for MITM attack, when using that.
So how can they do that if I specified IP where to connect?

I do not understand. The -hostkey=* applies only to that open command. So only to the server (hostname or IP) that you specify in the open command.

thank you for info.
I don't have any that much important data. I use this just to send some files over internet.
Problem is, when sending files stops to work when certificate changes and I don't know that.
Is there a way to accept certificate only when server name match "myserver" or only for servers with IP - my ip server"123.123.123.123"
This will be much safer.

You can use -hostkey=*:
https://winscp.net/eng/docs/scriptcommand_open#hostkey

But you should not do it! Verifying the hostkey (it's not a certificate) is an integral part of SSH security. By blindly accepting any hostkey, you become vulnerable to MITM attacks. Your server's host key should not change. If it does, it's a security weakness.

How to make a script to send files and auto accept certificate instead of putting in script a key which can change?
For example to skip this in script and auto accept and connect ssh-rsa 2048 xxxxxxxxxxx...=: