Book Haircut

v1.0.1

Book haircut services through Lokuli MCP. Use when user needs to find and book haircut. Triggers on requests like "book a haircut", "find haircut near me", or any haircut service request.

⭐ 1· 1.3k·0 current·0 all-time

byLokuli@edwardrodriguez703-design

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description and the SKILL.md align: the skill calls a Lokuli MCP endpoint to search, check availability, and create bookings. However, no credentials or auth mechanism are declared despite invoking an external booking API, which is unusual for a service that accepts bookings and PII.

Instruction Scope

Instructions show JSON-RPC calls (search, check_availability, create_booking) and include example customer PII. The SKILL.md does not instruct the agent to obtain explicit user consent, to request the user's name/email/phone before sending them, or to sanitize/confirm data. It also uses placeholder IDs ("xxx","yyy") and a hard-coded zip code, with no guidance on how to discover provider/service IDs or authenticate — scope and privacy practices are underspecified.

✓

Install Mechanism

Instruction-only skill with no install spec or code files — lowest install risk. Nothing is written to disk by the skill itself.

Credentials

The skill declares no required environment variables or primary credential yet directs requests to an external API (https://lokuli.com/mcp/sse) that almost certainly requires authentication in production. Absence of declared credentials or explanation for how auth will be handled is disproportionate to the operation (creating bookings/transmitting PII).

✓

Persistence & Privilege

The skill is user-invocable and not always-enabled; it does not request elevated or persistent platform privileges. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.

What to consider before installing

This skill appears to be what it says (booking haircuts) but it's missing important details. Before installing or using it, confirm: 1) how the agent authenticates to Lokuli (API key, OAuth, or platform-managed token) — do not provide cloud or personal credentials unless you understand why; 2) how providerId/serviceId values are obtained and whether the agent will prompt you; 3) how your personal data (name, email, phone) will be transmitted, stored, and retained by Lokuli; 4) whether the platform's tools/call already enforce authentication and restrict data exfiltration. If you plan to test, use dummy data (no real PII) until these questions are answered. If you cannot get clear answers about authentication and privacy, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c05ysms0vzw7cb5va80e08180nt6x

1.3kdownloads

1stars

2versions

Updated 1mo ago

v1.0.1

MIT-0

uook haircut

Book haircut services through Lokuli's MCP server.

MCP Endpoint

https://lokuli.com/mcp/sse

Transport: SSE | JSON-RPC 2.0 | POST requests

Tools

search

{
  "method": "tools/call",
  "params": {
    "name": "search",
    "arguments": {
      "query": "haircut",
      "zipCode": "90640",
      "maxResults": 20
    }
  }
}

check_availability

{
  "method": "tools/call",
  "params": {
    "name": "check_availability",
    "arguments": {
      "providerId": "xxx",
      "serviceId": "yyy",
      "date": "2025-02-10"
    }
  }
}

create_booking

{
  "method": "tools/call",
  "params": {
    "name": "create_booking",
    "arguments": {
      "providerId": "xxx",
      "serviceId": "yyy",
      "timeSlot": "2025-02-10T14:00:00-08:00",
      "customerName": "John Doe",
      "customerEmail": "john@example.com",
      "customerPhone": "+13105551234"
    }
  }
}

Comments

Loading comments...