Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Book Tailor
v1.0.1Book tailor services through Lokuli MCP. Use when user needs to find and book tailor. Triggers on requests like "book a tailor", "find tailor near me", or any tailor service request.
⭐ 0· 1.4k·0 current·0 all-time
byLokuli@edwardrodriguez703-design
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, MCP endpoint, and the three tool actions (search, check_availability, create_booking) are coherent for a booking skill. However, the SKILL.md provides no information about authentication/authorization for the external Lokuli MCP endpoint and includes a hardcoded example zip code, which suggests incomplete/placeholder configuration rather than a fully self-contained integration.
Instruction Scope
Runtime instructions direct the agent to call an external endpoint and to send customer PII (name, email, phone) to create bookings but do not instruct the agent to obtain explicit user consent, minimize data, or describe data handling/retention. The instructions do not reference reading any local files or env vars, which is good, but they lack privacy safeguards and error/auth handling.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing is written to disk by the skill itself — low install risk.
Credentials
The skill declares no required environment variables or credentials. That could be legitimate if the hosting platform provides the necessary tooling/authentication for tools/call, but the SKILL.md offers no explanation. Requiring no credentials for an external booking API is unexpected and should be clarified.
Persistence & Privilege
always is false and the skill does not request persistent or elevated privileges or modification of other skills. Autonomous invocation is allowed (platform default) but not combined here with additional red flags.
What to consider before installing
This skill appears to perform the advertised task (search and create bookings) but it omits key details about authentication and privacy. Before installing, verify: (1) how calls to https://lokuli.com/mcp/sse are authenticated (who holds the API key / token and where it is stored); (2) whether the platform will supply credentials or whether the skill will ask you to provide them; (3) how customer data (name, email, phone) is handled, stored, and deleted by Lokuli — the SKILL.md does not require explicit user consent before sending PII; (4) whether example values (e.g., zipCode 90640) will be replaced dynamically with the user's location. If you cannot get clear answers to those points, treat the skill cautiously or avoid installing it. If you proceed, ensure users are prompted and give explicit consent before any booking request that sends their contact details.Like a lobster shell, security has layers — review code before you run it.
latestvk973kccag3rw2vv4wr60w588a980makf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.