ClawHub
Back to skill
v1.0.1

Book Venue

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:23 AM.

Analysis

This venue-booking skill is purpose-aligned, but it can create external bookings and send customer contact details without explicit confirmation or data-boundary guidance.

GuidanceTreat this as a review-before-use skill: it is coherent for venue booking, but set a rule that no booking is created until you explicitly approve the final venue, date, time, and contact details.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceMediumStatusConcern
SKILL.md
"name": "create_booking" ... "timeSlot": "2025-02-10T14:00:00-08:00", "customerName": "John Doe", "customerEmail": "john@example.com", "customerPhone": "+13105551234"

The skill documents a tool call that can create a real booking using customer contact details, but the artifact does not require explicit user confirmation or define safeguards before making that external change.

User impactThe agent could place a venue booking or share contact details with the booking service before the user has clearly approved the final venue, time, and terms.
RecommendationBefore installing or using, ensure the agent is instructed to ask for final confirmation before create_booking and to show the venue, time, contact details, cancellation terms, and any costs.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
MCP Endpoint ... https://lokuli.com/mcp/sse ... "customerEmail": "john@example.com", "customerPhone": "+13105551234"

The skill discloses an external MCP endpoint and shows personal contact fields being sent for booking. This is expected for venue booking, but data handling boundaries are not described.

User impactCustomer name, email, phone number, and booking preferences may be transmitted to Lokuli's MCP service.
RecommendationOnly provide the contact details needed for the booking, and review Lokuli's privacy and booking terms if available.