ClawHub

Book Car Wash

v1.0.1

Book car-wash services through Lokuli MCP. Use when user needs to find and book car-wash. Triggers on requests like "book a car-wash", "find car-wash near me", or any car-wash service request.

1· 1.3k·0 current·0 all-time
byLokuli@edwardrodriguez703-design
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (book car-wash via Lokuli MCP) align with the runtime instructions: SKILL.md provides JSON-RPC calls for search, check_availability, and create_booking against an MCP endpoint. However, the skill does not declare any authentication mechanism or explain how API access is authorized, which is unusual for a remote booking API and reduces confidence in the claimed capability.
!
Instruction Scope
Instructions explicitly direct the agent to call an external endpoint (https://lokuli.com/mcp/sse) and to send booking payloads that include customerName, customerEmail, and customerPhone. That is consistent with booking functionality, but the instructions do not: (1) state how to obtain/require user consent for sending PII, (2) specify authentication or headers, (3) explain how location/zipCode is determined (SKILL.md uses a hardcoded zip 90640), and (4) reconcile 'SSE' transport with JSON-RPC POST examples (ambiguous). These gaps increase the risk of unintended data disclosure.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by the skill package itself.
!
Credentials
The skill declares no required environment variables or credentials, yet it targets an external API endpoint. Real-world booking APIs typically require an API key or similar credential; the absence of any declared auth is suspicious (either the skill relies on platform-provided tooling not documented here, or it would make unauthenticated requests). The instructions also enable transmission of PII (name, email, phone) and potentially location data — this is proportional to booking functionally but should be explicitly documented and justified.
Persistence & Privilege
always is false and there is no requested persistent system modification. The skill does not ask to modify other skills or global agent settings.
What to consider before installing
This skill appears to try to book car washes by calling an external service (lokuli.com) and will send customer details (name, email, phone) and likely location. Before installing or using it: (1) verify the skill author and a trustworthy homepage/privacy policy for Lokuli; (2) confirm how the service is authenticated (API key, OAuth) — the skill does not declare any credentials; (3) ensure you consent to sending any personal data to that external domain; (4) if you want to test, run it in a sandbox and avoid providing real PII until you confirm the endpoint and security; and (5) ask the skill author to clarify the auth, consent, and how the zipCode/location is obtained. If you can't verify those points, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk976yede83mxgmngpd7bsdwtcd80m34n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments