ClawHub

Book Blowout

v1.0.1

Book blowout services through Lokuli MCP. Use when user needs to find and book blowout. Triggers on requests like "book a blowout", "find blowout near me", or any blowout service request.

1· 1.3k·0 current·0 all-time
byLokuli@edwardrodriguez703-design
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions (search, check_availability, create_booking against a Lokuli MCP endpoint). However the SKILL.md hard-codes a zip code (90640) and contains placeholder customer data and dated sample times, which is inconsistent with triggers like 'near me' and real booking usage. Also the skill references an external MCP endpoint but declares no credentials or config that would typically be needed for a third-party booking API.
!
Instruction Scope
Instructions direct the agent to send customer-identifying information (name, email, phone) to an external endpoint (https://lokuli.com/mcp/sse) via JSON-RPC/SSE. The SKILL.md does not specify authentication, error handling, consent collection, or what data will be stored/returned. It also uses a fixed zipCode in the example rather than using the user's actual location, which is scope/behavior mismatch vs. the 'near me' trigger.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest disk/installation risk. Nothing is downloaded or written by the skill itself.
Credentials
No environment variables or credentials are requested, which reduces credential-exfiltration risk but is unusual given the external API endpoint. If Lokuli's MCP requires an API key or token, the absence of declared credentials is a gap (either the endpoint is public/anonymous or the skill assumes platform-level tooling will supply auth).
Persistence & Privilege
always is false and the skill is user-invocable only. It does not request persistent system-wide privileges or to modify other skills/configuration.
What to consider before installing
This skill appears to do what it says (search and book blowout services) but has gaps you should clear up before installing or using it with real customer data: 1) Authentication: ask the author whether Lokuli's MCP requires an API key or token and where that credential is stored; do not provide platform or personal credentials until you confirm how they are used and protected. 2) Privacy & consent: the skill's examples show sending name, email, and phone to an external endpoint — confirm the data retention policy and get explicit user consent before sending PII. 3) Behavior mismatch: the SKILL.md example hard-codes zipCode (90640) and uses placeholder timestamps — request that the skill use the user's real location/time and validate inputs. 4) Endpoint verification: confirm the domain (lokuli.com) is legitimate, uses TLS, and has a published API/docs; avoid calling unknown third-party endpoints with real user data. 5) If you must proceed, test with synthetic data first and prefer a version that declares required credentials and documents auth, error handling, and privacy. If the author cannot justify the missing auth and the hard-coded location, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bnsssehj9txjfpy0v66esgh80ndw7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments