Security Audit

book-piercing

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

book-piercing received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill collects and transmits sensitive PII to external service.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Network Access

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Skill collects and transmits sensitive PII to external service The `create_booking` tool is designed to collect sensitive Personally Identifiable Information (PII), specifically `customerName`, `customerEmail`, and `customerPhone`. This data is then transmitted to the external service `https://lokuli.com/mcp/sse`. While this may be the intended functionality of the skill, it poses a significant data exfiltration risk if the external service is compromised or malicious. The collection and transmission of such sensitive data require careful consideration of privacy and security implications. 1. Transparency & Consent: Clearly inform users about the specific PII collected, how it will be used, and with which third-party services it will be shared. Obtain explicit consent before collection. 2. Third-Party Vetting: Thoroughly vet the security and privacy practices of `lokuli.com` to ensure data protection standards are met. 3. Data Minimization: Only collect the absolute minimum PII necessary for the skill's function. 4. Secure Transmission: Ensure all data transmission to `lokuli.com` is encrypted (e.g., via HTTPS). 5. Data Retention Policy: Implement clear data retention and deletion policies for collected PII.	LLM	SKILL.md:35

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/8d48ed958322be28.svg)](https://skillshield.io/report/8d48ed958322be28)