ClawHub

Book Locksmith

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: book-locksmith Version: 1.0.1 The skill is suspicious due to the hardcoded customer details ('John Doe', 'john@example.com', '+13105551234') within the `create_booking` tool definition in `SKILL.md`. While the external network call to `https://lokuli.com/mcp/sse` is expected for a booking service, the use of fixed personal information as default arguments poses a significant risk of unintended data submission or privacy issues if the agent uses these values without proper user input or confirmation.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern
ASI02: Tool Misuse and Exploitation
What this means

An agent could book a locksmith appointment or send contact details before the user has clearly approved the final provider, time, and details.

Why it was flagged

The skill documents a tool that can create a real-world service booking using the user's contact information, but the instructions do not require explicit user confirmation before submitting the booking.

Skill content
"name": "create_booking", "arguments": { "providerId": "xxx", "serviceId": "yyy", "timeSlot": "2025-02-10T14:00:00-08:00", "customerName": "John Doe", "customerEmail": "john@example.com", "customerPhone": "+13105551234" }
Recommendation

Only use this skill after confirming the exact provider, service, time slot, price or estimated cost, and contact details; the skill author should add explicit confirmation and cancellation guidance before create_booking.

Note
ASI07: Insecure Inter-Agent Communication
What this means

Your name, email, phone number, and booking details may be shared with the Lokuli MCP service to complete the booking.

Why it was flagged

The artifact discloses that booking requests go to an external MCP endpoint and may include personal contact information.

Skill content
MCP Endpoint: https://lokuli.com/mcp/sse ... "customerName": "John Doe", "customerEmail": "john@example.com", "customerPhone": "+13105551234"
Recommendation

Share only the information necessary for the booking and verify that you are comfortable sending it to the listed Lokuli endpoint.