Back to skill
Skillv1.0.1
ClawScan security
Book Videographer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:06 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with a videographer-booking helper; it has no installs or extra credential demands, but it will call an external Lokuli MCP endpoint and may transmit user contact data — review that before use.
- Guidance
- This skill appears to do what it says: call Lokuli's MCP to search and book videographers. Before installing/use: (1) confirm you trust the external domain (lokuli.com) and its privacy/terms because booking requires sending personal contact details; (2) ask how authentication to the MCP endpoint is handled — the SKILL.md gives no auth instructions; (3) avoid providing sensitive PII unless you explicitly trust the service; (4) remember this is instruction-only so it won't install code locally, but it will cause network requests when invoked. If you need stronger guarantees, request documentation or an official homepage/source for Lokuli and verify the integration details.
Review Dimensions
- Purpose & Capability
- okName/description align with the runtime instructions: the SKILL.md defines search, availability check, and booking JSON-RPC calls for finding and booking videographers. There are no unrelated environment variables, binaries, or installs requested.
- Instruction Scope
- noteInstructions focus on booking workflow (search, check_availability, create_booking). They reference an external MCP endpoint (https://lokuli.com/mcp/sse) and include example customer data and placeholders. The skill does not instruct reading local files or unrelated system state. It also does not document authentication/authorization for the MCP endpoint (how requests are permitted/trusted is unspecified).
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. Nothing is downloaded or written to disk by the skill itself.
- Credentials
- noteThe skill requests no environment variables or credentials, which is proportional. However, it will send (or instruct sending) user contact/booking information to an external domain (lokuli.com). That transmission is expected for a booking service but is a privacy consideration — the SKILL.md doesn't document authentication or where user data will be stored or how it's protected.
- Persistence & Privilege
- okalways:false (no forced inclusion). The skill does not request persistent system privileges or modify other skills/config. Autonomous invocation is allowed by default, which is normal for skills.