Is edwardrodriguez703-design/book-plumber safe?

https://github.com/openclaw/skills/tree/main/skills/edwardrodriguez703-design/book-plumber

79
CAUTION

This plumber booking skill contains suspicious title typos and transmits customer data to an unverified external service (lokuli.com). While no malicious code was detected, the external data transmission and quality concerns warrant caution.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (3)

MEDIUM Suspicious Title Typos -15

The skill title contains obvious typos ('uook plumuer' instead of 'Book Plumber') which could indicate intentional deception to bypass filters or simply poor quality control.

HIGH External Data Transmission to Unknown Service -50

The skill transmits user data including customer names, emails, and phone numbers to an external MCP server at lokuli.com. This creates potential privacy risks and data exfiltration concerns.

MEDIUM Unverified Third-Party Service Dependency -40

The skill relies on 'Lokuli MCP' service which is not a well-known or established service provider, raising questions about data handling practices and service reliability.