Book HVAC
v1.0.1Book hvac services through Lokuli MCP. Use when user needs to find and book hvac. Triggers on requests like "book a hvac", "find hvac near me", or any hvac service request.
⭐ 1· 1.4k·0 current·0 all-time
byLokuli@edwardrodriguez703-design
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the SKILL.md: it calls search, check_availability, and create_booking against Lokuli's MCP. That capability set is coherent for a booking skill. However, the skill references an external MCP endpoint (lokuli.com) and JSON-RPC transport but does not declare any required credentials or explain how requests are authenticated — a notable omission.
Instruction Scope
The instructions are narrowly focused on making JSON-RPC calls (search/check/create_booking) to the MCP endpoint and do not ask the agent to read local files or unrelated environment variables. Concern: the instructions assume the ability to call 'tools/call' and to communicate with https://lokuli.com/mcp/sse but do not specify authentication, consent handling, or how PII (customer name/email/phone) should be collected/validated.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal disk/write risk. Nothing is downloaded or installed by the skill itself.
Credentials
The skill requires no environment variables or credentials in its metadata but clearly interacts with an external MCP endpoint. Real-world booking APIs typically require API keys, tokens, or OAuth — the absence of declared credentials is disproportionate/unexplained. Also booking actions will involve PII (customer contact info); how those are provided and stored is not specified.
Persistence & Privilege
The skill does not request always:true or any special persistence flags. Model invocation is not disabled (default), so the agent could call this skill when relevant; that is a typical default but means you should confirm the agent is allowed to perform bookings autonomously.
What to consider before installing
Before installing, verify these points: (1) Confirm how the skill authenticates to Lokuli's MCP — ask the author whether an API key/OAuth is required and where it should be stored (and ensure it's declared in requires.env). (2) Understand how PII (customer name, email, phone) will be collected, transmitted, and stored; avoid using the skill with real customer data until privacy/retention are clear. (3) Confirm who operates the endpoint (lokuli.com) and that it's legitimate; consider testing against a sandbox account. (4) Check what the 'tools/call' tool does in your agent runtime and whether the model can autonomously create bookings — if you want manual approval, require disableModelInvocation or otherwise restrict autonomous booking. (5) If you cannot obtain authentication details or author ownership/trust, treat the skill as untrusted and do not provide sensitive credentials or real customer data.Like a lobster shell, security has layers — review code before you run it.
latest
uook hvac
Book hvac services through Lokuli's MCP server.
MCP Endpoint
https://lokuli.com/mcp/sse
Transport: SSE | JSON-RPC 2.0 | POST requests
Tools
search
{
"method": "tools/call",
"params": {
"name": "search",
"arguments": {
"query": "hvac",
"zipCode": "90640",
"maxResults": 20
}
}
}
check_availability
{
"method": "tools/call",
"params": {
"name": "check_availability",
"arguments": {
"providerId": "xxx",
"serviceId": "yyy",
"date": "2025-02-10"
}
}
}
create_booking
{
"method": "tools/call",
"params": {
"name": "create_booking",
"arguments": {
"providerId": "xxx",
"serviceId": "yyy",
"timeSlot": "2025-02-10T14:00:00-08:00",
"customerName": "John Doe",
"customerEmail": "john@example.com",
"customerPhone": "+13105551234"
}
}
}
Comments
Loading comments...