Locu
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill uses a user-provided Locu token for read-only Locu API requests and appears purpose-aligned, but the token and returned workspace data are sensitive.
Before installing, verify that this is the Locu API integration you intend to use, provide only a least-privilege/revocable PAT, and avoid retrieving task or project information you would not want placed into the agent conversation context.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can access Locu account/workspace information available to that token, including task and project data.
The skill requires a Locu personal access token and uses it in Authorization bearer headers for Locu API calls.
`LOCU_API_TOKEN`: Your Personal Access Token (PAT).
Use a least-privilege, revocable Locu token if available, and revoke or rotate it when no longer needed.
Users have less external context for confirming that this skill is official or maintained before trusting it with a Locu token.
The skill does not provide a source repository or homepage, which limits provenance verification even though there is no executable code in this artifact set.
Source: unknown; Homepage: none
Confirm the API endpoint and token setup against trusted Locu documentation before installation or use.