ClawHub

Book Tattoo

v1.0.1

Book tattoo services through Lokuli MCP. Use when user needs to find and book tattoo. Triggers on requests like "book a tattoo", "find tattoo near me", or any tattoo service request.

1· 1.3k·0 current·0 all-time
byLokuli@edwardrodriguez703-design
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (book tattoo via Lokuli MCP) align with the instructions (search, check_availability, create_booking RPC calls). However the skill references an external MCP endpoint (https://lokuli.com/mcp/sse) but declares no credentials or auth mechanism; that omission is unexpected for a third-party booking API.
Instruction Scope
SKILL.md is instruction-only and limits actions to JSON-RPC calls to the MCP endpoint via platform tools. It does not ask to read files or environment state. Concerns: it contains hard-coded example customer data (John Doe, john@example.com, +13105551234) and a hard-coded zipCode (90640) which could accidentally be used if not replaced; the file does not require explicit user confirmation before creating bookings.
Install Mechanism
No install spec and no code files — instruction-only — so nothing is written to disk and there is low install risk.
Credentials
The skill requests no environment variables or credentials. That is coherent if the platform supplies the tools and authentication, but incoherent if the MCP endpoint actually requires API keys or tokens. The lack of declared auth is an information gap that should be clarified.
Persistence & Privilege
always:false and the skill is user-invocable — normal and appropriately scoped. It does not request persistent system-level presence.
What to consider before installing
This skill appears to do what it says (search and book tattoos via Lokuli), but you should verify a few things before installing or using it: 1) Source trust: there is no homepage or author information—confirm you trust lokuli.com and the skill author. 2) Authentication: ask how the MCP endpoint is authorized; the skill declares no API keys or tokens — installing without knowing how auth is handled could leak your booking data if misconfigured. 3) Privacy: SKILL.md includes example personal data and a hard-coded zip code; ensure the agent will never send your real name, email, or phone to the endpoint without explicit consent. 4) Behavior: require the agent to ask you for confirmation of provider, date/time, and your contact details before calling create_booking. If you need assurance, request the author to: (a) document the auth mechanism, (b) remove hard-coded PII and zip code from examples, and (c) add explicit user-consent steps in SKILL.md. Given the unknown origin and missing auth details, proceed cautiously or seek a version with clearer provenance and authentication.

Like a lobster shell, security has layers — review code before you run it.

latestvk9780dr2g6y6b245svm3fcb3w580n338
1.3kdownloads
1stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
Lokuli@edwardrodriguez703-design
latest
Download

uook tattoo

Book tattoo services through Lokuli's MCP server.

MCP Endpoint

https://lokuli.com/mcp/sse

Transport: SSE | JSON-RPC 2.0 | POST requests

Tools

search

{
  "method": "tools/call",
  "params": {
    "name": "search",
    "arguments": {
      "query": "tattoo",
      "zipCode": "90640",
      "maxResults": 20
    }
  }
}

check_availability

{
  "method": "tools/call",
  "params": {
    "name": "check_availability",
    "arguments": {
      "providerId": "xxx",
      "serviceId": "yyy",
      "date": "2025-02-10"
    }
  }
}

create_booking

{
  "method": "tools/call",
  "params": {
    "name": "create_booking",
    "arguments": {
      "providerId": "xxx",
      "serviceId": "yyy",
      "timeSlot": "2025-02-10T14:00:00-08:00",
      "customerName": "John Doe",
      "customerEmail": "john@example.com",
      "customerPhone": "+13105551234"
    }
  }
}

Comments

Loading comments...