Back to skill
Skillv1.0.1
ClawScan security
Book Mechanic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:05 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is coherent with a mechanic-booking purpose, but it directs the agent to an external MCP endpoint (lokuli.com) and would transmit customer PII while providing no information about authentication, provenance, or data handling — this mismatch is worth caution.
- Guidance
- Before installing or using this skill, verify the legitimacy of lokuli.com and the MCP API (homepage, docs, privacy policy). Ask how the agent will authenticate (API key, OAuth) and why no credentials are declared in the skill metadata. Confirm what user data is required, how long it's retained, and whether bookings are sent only after explicit user consent. If you cannot verify the vendor and the auth/PII handling, avoid sending real customer information (test with dummy data) or restrict the skill's network access. If you proceed, monitor network calls and logs and limit the personal data you provide.
Review Dimensions
- Purpose & Capability
- noteName/description match the instructions: the SKILL.md defines search, check_availability, and create_booking calls for mechanic bookings via Lokuli's MCP. However, the skill references an external endpoint (https://lokuli.com/mcp/sse) while declaring no credentials or configuration; that's an unexplained gap (how does the agent authenticate/authorize to use the MCP?).
- Instruction Scope
- concernThe runtime instructions instruct the agent to initiate JSON-RPC/SSE calls to an external server and to send customer-identifying data (name, email, phone). The SKILL.md does not restrict what customer data is sent, ask for user consent, or explain data retention. That broad transmission of PII to an externally-hosted service is a scope/privacy concern.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk and there is no installer or third-party package to evaluate.
- Credentials
- concernThe skill declares no required environment variables or credentials, yet it points to a third-party API endpoint that in practice likely requires authentication. The absence of declared auth variables (API key, token) or guidance how requests are authorized is a mismatch and could lead to inadvertent unauthenticated requests or attempts to send sensitive data without clear safeguards.
- Persistence & Privilege
- okThe skill does not request persistent installation, 'always' is false, and it does not modify other skills or system-wide settings. It does, however, allow normal autonomous invocation (platform default), which increases blast radius if the skill is later found malicious — but that alone is not a protocol violation.