ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Book Auto Body

v1.0.1

Book auto-body services through Lokuli MCP. Use when user needs to find and book auto-body. Triggers on requests like "book a auto-body", "find auto-body near me", or any auto-body service request.

0· 1.4k·0 current·0 all-time
byLokuli@edwardrodriguez703-design
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions (search, check_availability, create_booking against Lokuli's MCP). However, a booking integration would normally document how to authenticate to the external MCP or declare required credentials; no credentials or auth flow are requested or explained.
Instruction Scope
SKILL.md provides JSON-RPC templates and an MCP SSE endpoint; it does not ask the agent to read unrelated files or environment variables. But the examples include hard-coded placeholders (zipCode 90640, dates, and example customer PII like 'John Doe' and a phone/email) and give no guidance on substituting real user data, validating consent, or obtaining user location — making the instructions incomplete and potentially risky when live data is used.
Install Mechanism
Instruction-only skill with no install spec, no code files, and no downloads — minimal installation risk.
!
Credentials
The skill declares no required environment variables or credentials but points to an external booking endpoint. Real-world booking APIs typically require API keys, OAuth tokens, or other credentials; the absence of any declared auth or explanation about where credentials come from is an incoherence that could indicate incomplete documentation or hidden dependencies on platform-managed credentials.
Persistence & Privilege
always is false and there is no request to modify agent/system-wide settings. The skill does not request persistent presence or elevated privileges.
What to consider before installing
This skill appears to aim at booking auto-body services via Lokuli, but the instructions are incomplete. Before installing or using it: 1) Verify the Lokuli MCP endpoint (https://lokuli.com/mcp/sse) is a legitimate service you trust. 2) Ask how authentication is handled — the skill doesn't declare any API keys or tokens; determine whether the platform will supply credentials or if the skill requires sensitive credentials you would need to provide. 3) Be cautious about sending user PII (name, email, phone, location) to an external endpoint — confirm consent and data-handling policies. 4) Test in a sandbox or with dummy accounts to confirm behavior, and require the skill author to replace hard-coded placeholders with clear parameterization and an auth flow before using with real users.

Like a lobster shell, security has layers — review code before you run it.

latestvk971wsfc87w1rv8xd7z8k8htxs80mjgk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments