ClawHub

Book Pilates

v1.0.1

Book pilates services through Lokuli MCP. Use when user needs to find and book pilates. Triggers on requests like "book a pilates", "find pilates near me", or any pilates service request.

1· 1.3k·0 current·0 all-time
byLokuli@edwardrodriguez703-design
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the SKILL.md: it targets booking pilates via Lokuli's MCP endpoint. No unexpected binaries or extra credentials are requested, which is consistent, but the skill references an external booking API (lokuli.com) without declaring how to authenticate or obtain access — this is a missing but not necessarily malicious element.
!
Instruction Scope
SKILL.md gives concrete JSON-RPC examples (search, check_availability, create_booking) and the MCP SSE endpoint, but uses hard-coded example values (zipCode: 90640, customerName/email/phone, fixed dates) and does not instruct the agent to prompt the user for location, contact details, or consent before transmitting personal data. It also does not explain how to authenticate to the Lokuli service or where to store credentials. Transmitting user PII to an external endpoint without explicit user-consent steps is a scope and privacy concern.
Install Mechanism
Instruction-only skill with no install spec and no code files. Lowest install risk — nothing is written to disk or downloaded by the skill itself.
!
Credentials
The skill requests no environment variables or primary credential, yet it targets an external booking API. Booking/create endpoints typically require authentication; omitting any required API keys or tokens is a discrepancy. Also, the instructions include fields for sensitive personal data (name, email, phone) but give no guidance about consent or secure handling.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent system privileges or to alter other skills. Autonomous invocation is allowed by platform default but is not combined with other elevated privileges here.
What to consider before installing
This skill appears to be a lightweight instruction-only connector to Lokuli's booking API, but it omits key operational and privacy details. Before installing or enabling it, ask or verify: (1) Does Lokuli require API credentials? If so, the skill should declare required env vars (API key/token) and how to provide them. (2) The skill must prompt you for your location, contact info, and explicit consent before sending any personal data to lokuli.com. (3) Confirm the MCP endpoint (https://lokuli.com/mcp/sse) is the official service you expect. (4) Prefer a version that does not contain hard-coded example PII or fixed zip/date values and that documents authentication and privacy handling. If you cannot verify these points or do not trust the external service, avoid enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk974kckhdn4pjj0cbgt50tjq6h80nxp2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments