ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Book Carpet Cleaning

v1.0.1

Book carpet-cleaning services through Lokuli MCP. Use when user needs to find and book carpet-cleaning. Triggers on requests like "book a carpet-cleaning", "find carpet-cleaning near me", or any carpet-cleaning service request.

0· 1.4k·0 current·0 all-time
byLokuli@edwardrodriguez703-design
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with the runtime instructions: the SKILL.md targets Lokuli's MCP endpoint and defines search, availability check, and booking RPC calls — all appropriate for a booking skill.
Instruction Scope
Instructions confine activity to Lokuli's MCP endpoint and agent tool calls (tools/call). They do not instruct reading local files or unrelated env vars. Minor inconsistencies: example payloads include hardcoded placeholders (providerId 'xxx', sample customer data, zipCode '90640') and a date in 2025; SKILL.md also states 'Transport: SSE | JSON-RPC 2.0 | POST requests' which mixes SSE (usually GET/stream) and POST semantics — clarify expected transport and which fields are runtime-provided.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing will be written to disk by an installer, which is low-risk.
Credentials
The skill declares no required environment variables or credentials. That is reasonable if Lokuli's MCP endpoint is intended to be public, but many booking APIs require authentication. The absence of any declared credentials or guidance for auth is an omission that should be validated with the publisher/platform.
Persistence & Privilege
Flags show normal defaults (always:false, model invocation allowed). The skill does not request persistent presence or system-wide configuration changes.
Assessment
This skill is internally consistent for booking via Lokuli's MCP and doesn't ask for local files or credentials — a good sign. Before installing, confirm: (1) whether Lokuli's endpoint requires API keys or user credentials (the SKILL.md omits any auth details), (2) that you trust the external domain https://lokuli.com for sending customer data (bookings include PII like name/email/phone), and (3) clarify the transport semantics (SSE vs POST) and how runtime values (zip code, providerId, customer details) are supplied. If the publisher cannot explain the missing authentication or data handling, treat the skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk979w35cqmgfwf7s59745ze7dx80n58w
1.4kdownloads
0stars
2versions
Updated 22h ago
v1.0.1
MIT-0
Lokuli@edwardrodriguez703-design
latest
Download

uook carpet cleaning

Book carpet-cleaning services through Lokuli's MCP server.

MCP Endpoint

https://lokuli.com/mcp/sse

Transport: SSE | JSON-RPC 2.0 | POST requests

Tools

search

{
  "method": "tools/call",
  "params": {
    "name": "search",
    "arguments": {
      "query": "carpet-cleaning",
      "zipCode": "90640",
      "maxResults": 20
    }
  }
}

check_availability

{
  "method": "tools/call",
  "params": {
    "name": "check_availability",
    "arguments": {
      "providerId": "xxx",
      "serviceId": "yyy",
      "date": "2025-02-10"
    }
  }
}

create_booking

{
  "method": "tools/call",
  "params": {
    "name": "create_booking",
    "arguments": {
      "providerId": "xxx",
      "serviceId": "yyy",
      "timeSlot": "2025-02-10T14:00:00-08:00",
      "customerName": "John Doe",
      "customerEmail": "john@example.com",
      "customerPhone": "+13105551234"
    }
  }
}

Comments

Loading comments...