ClawHub

Book Massage

v1.0.1

Book massage services through Lokuli MCP. Use when user needs to find and book massage. Triggers on requests like "book a massage", "find massage near me", or any massage service request.

1· 1.3k·0 current·0 all-time
byLokuli@edwardrodriguez703-design
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (book massage via Lokuli MCP) aligns with the SKILL.md which shows JSON-RPC calls for searching, checking availability, and creating bookings against an external Lokuli MCP endpoint.
!
Instruction Scope
Instructions show concrete JSON-RPC payloads that include customer PII fields (customerName, customerEmail, customerPhone) and an external endpoint (https://lokuli.com/mcp/sse). The SKILL.md does not describe authentication, consent, data minimization, or when/how to collect user PII. It also contains hardcoded/example fields (zipCode, date) and placeholders (providerId: xxx) without guidance. Sending user PII to an external service is reasonable for booking, but the lack of auth/consent controls and no guidance about verification is a scope concern.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest risk from an installation standpoint (nothing written to disk).
!
Credentials
The skill requests no environment variables or credentials, yet it expects to interact with an external booking API. Real booking integrations commonly require API keys or OAuth; the absence of any declared credential or instructions for authentication is unexpected and disproportionate to the task, or at least incomplete documentation.
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not request persistent privileges or system-wide configuration changes. Autonomous invocation is allowed by platform default, which is normal.
What to consider before installing
This skill appears to perform legitimate booking actions, but it omits important operational details. Before installing or enabling it, consider: 1) Verify the external endpoint (https://lokuli.com) and confirm it's the intended service — check its privacy policy and legitimacy. 2) Ask the skill author how authentication is handled (API key, OAuth, or anonymous access). If authentication is required, ensure keys/tokens aren’t left in plain text. 3) Be cautious about providing user PII (name, email, phone). The skill gives no guidance on explicit user consent or data minimization — require explicit consent before sending any personal data. 4) Test in a safe environment (no real credit-card or personal data) to observe actual network calls. 5) If you need stronger assurances (encryption, audit logging, revocation), request those from the publisher or avoid using the skill. Additional information about authentication and the service's privacy/security practices would move this assessment toward benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk972ftzt4r5j76rxv3gvgt33c180nxky

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments