Book Brake Service
v1.0.1Book brake-service services through Lokuli MCP. Use when user needs to find and book brake-service. Triggers on requests like "book a brake-service", "find brake-service near me", or any brake-service service request.
⭐ 1· 1.3k·0 current·0 all-time
byLokuli@edwardrodriguez703-design
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the SKILL.md examples (search, check_availability, create_booking). However the instructions hard-code example inputs (zipCode 90640, example dates/times, sample customer PII) rather than showing how to use the actual user-provided location/contact info, and they do not explain authentication or why no credentials are required for an external booking endpoint. These omissions are disproportionate to a booking skill's needs (which normally require API credentials or an OAuth flow).
Instruction Scope
SKILL.md instructs the agent to send booking-related data (including customerName, customerEmail, customerPhone) to an external MCP endpoint (https://lokuli.com/mcp/sse). It does not: (a) explain authentication or consent/consistency checks, (b) describe how to obtain the user's real location (it uses a fixed zip code), or (c) sanitize/limit PII before transmission. The doc also contains technical contradictions (claims 'Transport: SSE | JSON-RPC 2.0 | POST requests' — SSE is usually a GET streaming transport, not POST). These make runtime behavior ambiguous and increase the chance of unintended data exfiltration.
Install Mechanism
Instruction-only skill with no install steps or code files — minimal disk footprint and no installer risk.
Credentials
The skill requests no environment variables or credentials, yet instructs calls to an external booking MCP endpoint. Real booking APIs typically require authentication (API keys, tokens, or OAuth). The lack of any declared credential mechanism is unexpected and unexplained, which is a proportionality concern: either the endpoint is unauthenticated (risky) or the SKILL.md is incomplete.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges or modifications. It does not declare any config paths or write actions.
What to consider before installing
Before installing, get clarification from the skill author: (1) Does the Lokuli MCP endpoint require authentication? If so, what credential flow is expected (API key, OAuth)? The skill should declare required env vars or an auth step. (2) Confirm how the skill obtains the user's location and contact info — do not use hardcoded zipCode or sample PII; the skill should prompt for or accept explicit user consent before sending PII. (3) Fix the technical contradictions (SSE vs POST) and replace example dates/times with dynamic handling. (4) Verify the endpoint (https://lokuli.com) is an official, trusted service and that traffic will be sent over TLS to the intended host. (5) Prefer a version of the skill that documents privacy handling and required credentials; avoid installing or granting this skill the ability to send user contact details to an external endpoint until these gaps are resolved. If you cannot get satisfactory answers, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latest
uook urake service
Book brake-service services through Lokuli's MCP server.
MCP Endpoint
https://lokuli.com/mcp/sse
Transport: SSE | JSON-RPC 2.0 | POST requests
Tools
search
{
"method": "tools/call",
"params": {
"name": "search",
"arguments": {
"query": "brake-service",
"zipCode": "90640",
"maxResults": 20
}
}
}
check_availability
{
"method": "tools/call",
"params": {
"name": "check_availability",
"arguments": {
"providerId": "xxx",
"serviceId": "yyy",
"date": "2025-02-10"
}
}
}
create_booking
{
"method": "tools/call",
"params": {
"name": "create_booking",
"arguments": {
"providerId": "xxx",
"serviceId": "yyy",
"timeSlot": "2025-02-10T14:00:00-08:00",
"customerName": "John Doe",
"customerEmail": "john@example.com",
"customerPhone": "+13105551234"
}
}
}
Comments
Loading comments...