ClawHub

lann-booking

v1.0.4

提供蘭泰式按摩(Lann Thai Massage)的门店查询、SPA服务查询和在线预约功能。支持泰式古法按摩、精油护理、草本热敷等专业服务预约,覆盖上海、杭州、成都等多城市门店。

0· 130·0 current·0 all-time
by@lystrosaurus
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the included assets: store/service JSON, templates, and test scripts. The skill's declared requirements list no binaries/env vars, but README and scripts expect Python and/or Node/npm for testing and MCP mode — this is a documentation/inventory mismatch (not evidence of malicious behavior).
Instruction Scope
SKILL.md instructs the agent to read bundled files (org_store.json, prod_service.json), perform fuzzy matching, collect booking parameters, show a confirmation, and call either a local MCP server or the documented remote API (https://open.lannlife.com/mcp/book/create). There are no instructions to read unrelated system files or to exfiltrate secrets.
Install Mechanism
No formal install spec was provided (instruction-only), which lowers install risk. Scripts reference cloning/using an external 'lann-mcp-server' and suggest running 'npx lann-mcp-server' or 'npm start' if present. That means running the optional MCP mode could pull/execute third‑party code — review that server before installing/executing it.
Credentials
The package requests no required environment variables or credentials. It uses an API endpoint (default: https://open.lannlife.com/mcp/book/create) and optional PORT/HOST/API_ENDPOINT env vars for configuration — these are proportionate to a booking skill. No SECRET/TOKEN/PASSWORD env vars are requested.
Persistence & Privilege
Skill flags show normal privileges (always:false, agent-autonomy allowed). The skill does not request permanent presence or attempt to modify other skills. It documents non-persistence of phone numbers (logs masked), though you should validate actual runtime behavior if you run it against a real API.
Assessment
This skill appears to do what it claims: local lookups from included JSON files and booking calls to the documented API. Before installing or running: 1) Note the README/scripts expect Python and/or Node/npm even though the registry metadata lists none — install those tools if you plan to run tests. 2) The default API endpoint is https://open.lannlife.com/mcp/book/create — the skill will make outbound network calls to that domain; confirm you are comfortable with that and check the provider's privacy policy. 3) If you enable MCP 'local' mode the scripts suggest using 'npx lann-mcp-server' or cloning a separate lann-mcp-server repo — review that server code before running or installing via npx (it can execute arbitrary code). 4) The test scripts include a hard-coded test phone number; they will send whatever values you configure to the API during tests. 5) The inventory/documentation mismatch (required binaries not listed in metadata) is likely an oversight — treat it as a documentation issue and confirm required runtime dependencies before execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97avrd503rnb9f05fxy86cswn84j82j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💆 Clawdis

Comments