Skillv1.0.1

ClawScan security

Book Event Planner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (booking event planners via Lokuli MCP) is plausible and low-privilege, but the runtime instructions contain small but important inconsistencies and missing details that should be clarified before installing or using it.
Guidance: This skill is plausibly what it claims, but before installing or using it you should: (1) confirm how the platform maps the "tools/call" RPCs to the Lokuli MCP endpoint and whether any API keys or auth are required and where they are stored; (2) ensure the agent will request explicit user confirmation before calling create_booking (to avoid accidental real bookings or charges); (3) remove or replace hard-coded sample PII and zip code so the agent uses the user's actual location and details; (4) verify the legitimacy of https://lokuli.com and its privacy/terms (you don't want your customers' data sent to an unknown service); (5) test in a safe/non-production mode (dry-run) to confirm behavior. These gaps are likely due to sloppy/incomplete documentation rather than malicious intent, but they should be resolved before use.

Review Dimensions

Purpose & Capability: noteThe name/description match the instructions: the skill claims to book event-planner services via Lokuli's MCP. It does not request credentials or binaries, which can be reasonable for an instruction-only skill that relies on platform tooling. However, the SKILL.md references a direct MCP endpoint (https://lokuli.com/mcp/sse) while the example calls use a generic "tools/call" JSON-RPC wrapper (search, check_availability, create_booking) without explaining how those tool calls map to the Lokuli endpoint or how authentication (if any) is handled.
Instruction Scope: noteInstructions are narrowly scoped to searching, checking availability, and creating bookings and do not ask the agent to read files or environment variables. Concerns: (1) sample payloads contain hard-coded data (zipCode: 90640, and sample customer PII) and dated example timestamps — these could lead to accidental or inappropriate bookings if the agent uses examples verbatim; (2) omission of how/when to obtain user consent before calling create_booking; and (3) unclear mapping between the stated MCP endpoint and the provided "tools/call" RPC examples.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest risk for installation. Nothing is written to disk by the skill itself.
Credentials: okThe skill declares no required environment variables or credentials. That is proportionate for a simple search/booking skill; however, the presence of an external endpoint suggests there may be an undocumented authentication requirement (API key, token) in real usage — the SKILL.md does not address this.
Persistence & Privilege: okThe skill is not force-enabled (always: false) and uses the platform's normal invocation model. It does not request persistent system-level privileges in its metadata or instructions.