Skillv1.0.1

ClawScan security

Book Brake Service · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 11, 2026, 9:05 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (booking brake-service) is plausible, but the runtime instructions contain inconsistencies and omit important details (authentication, dynamic location handling, and an odd transport description) that make its behavior unclear and potentially risky.
Guidance: Before installing, get clarification from the skill author: (1) Does the Lokuli MCP endpoint require authentication? If so, what credential flow is expected (API key, OAuth)? The skill should declare required env vars or an auth step. (2) Confirm how the skill obtains the user's location and contact info — do not use hardcoded zipCode or sample PII; the skill should prompt for or accept explicit user consent before sending PII. (3) Fix the technical contradictions (SSE vs POST) and replace example dates/times with dynamic handling. (4) Verify the endpoint (https://lokuli.com) is an official, trusted service and that traffic will be sent over TLS to the intended host. (5) Prefer a version of the skill that documents privacy handling and required credentials; avoid installing or granting this skill the ability to send user contact details to an external endpoint until these gaps are resolved. If you cannot get satisfactory answers, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: noteName/description match the SKILL.md examples (search, check_availability, create_booking). However the instructions hard-code example inputs (zipCode 90640, example dates/times, sample customer PII) rather than showing how to use the actual user-provided location/contact info, and they do not explain authentication or why no credentials are required for an external booking endpoint. These omissions are disproportionate to a booking skill's needs (which normally require API credentials or an OAuth flow).
Instruction Scope: concernSKILL.md instructs the agent to send booking-related data (including customerName, customerEmail, customerPhone) to an external MCP endpoint (https://lokuli.com/mcp/sse). It does not: (a) explain authentication or consent/consistency checks, (b) describe how to obtain the user's real location (it uses a fixed zip code), or (c) sanitize/limit PII before transmission. The doc also contains technical contradictions (claims 'Transport: SSE | JSON-RPC 2.0 | POST requests' — SSE is usually a GET streaming transport, not POST). These make runtime behavior ambiguous and increase the chance of unintended data exfiltration.
Install Mechanism: okInstruction-only skill with no install steps or code files — minimal disk footprint and no installer risk.
Credentials: concernThe skill requests no environment variables or credentials, yet instructs calls to an external booking MCP endpoint. Real booking APIs typically require authentication (API keys, tokens, or OAuth). The lack of any declared credential mechanism is unexpected and unexplained, which is a proportionality concern: either the endpoint is unauthenticated (risky) or the SKILL.md is incomplete.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent system privileges or modifications. It does not declare any config paths or write actions.