ClawHub

Book Painter

v1.0.1

Book painter services through Lokuli MCP. Use when user needs to find and book painter. Triggers on requests like "book a painter", "find painter near me", or any painter service request.

1· 1.3k·0 current·0 all-time
byLokuli@edwardrodriguez703-design
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (book/find painters) align with the listed JSON-RPC tool calls (search, check_availability, create_booking). However SKILL.md uses hardcoded example parameters (zipCode: 90640, example dates, providerId/serviceId as 'xxx'/'yyy', and example customer data) rather than describing how to obtain user-specific inputs. This is more of a usability/engineering omission than outright mismatch.
Instruction Scope
Instructions show calling Lokuli's MCP endpoint and the JSON-RPC payloads to search and create bookings; they do not instruct the agent to read unrelated files or environment variables. Concern: SKILL.md does not explain how authentication/authorization to the external endpoint should be handled, nor does it state how user PII (name, email, phone) will be collected/validated before sending. The use of example PII in the examples could encourage accidental transmission if the agent substitutes real data without safeguards.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so there is no disk-installed payload to review. That minimizes install-time risk.
!
Credentials
The skill makes network calls to an external MCP endpoint (https://lokuli.com/mcp/sse) but declares no required environment variables or credentials. If the MCP API requires authentication (API key, OAuth token, or similar), the lack of declared credential requirements is a red flag — either the skill relies on undocumented platform-managed credentials/tools or it will attempt unauthenticated calls. Both possibilities warrant clarification.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistence. It is user-invocable and allows autonomous invocation (platform default), which is expected for skills of this type.
What to consider before installing
Before installing or enabling this skill, confirm the following: (1) Authentication: ask the skill author how the Lokuli MCP endpoint is authenticated — require explicit documentation of required env vars or that the platform's 'tools/call' provides the credentialing. Do not assume credentials are unnecessary. (2) Data handling: verify what user data (name, email, phone, location) will be sent, where it goes (lokuli.com), and whether the user consents. (3) Dynamic inputs: ensure the skill will use the user's actual location/time preferences instead of hardcoded values (the SKILL.md shows zipCode: 90640 and placeholder IDs). (4) Endpoint legitimacy: confirm the domain (lokuli.com) is the intended service and review its privacy/security posture. (5) Minimum permissions: prefer a skill that declares required environment variables or uses documented platform tools for auth rather than relying on implicit secrets. If the author cannot clarify these points, treat the skill as higher risk and avoid sending real PII through it.

Like a lobster shell, security has layers — review code before you run it.

latestvk971qj3tcgkez2x5p1t7zw9rvs80nwqh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments