Book Acupuncture

Security checks across malware telemetry and agentic risk

Overview

This is a simple booking skill that sends appointment search and contact details to Lokuli, with privacy and confirmation caveats users should understand.

Install only if you are comfortable using Lokuli as the external booking service. Before creating a booking, confirm the provider, service, appointment time, any price or cancellation terms, and the exact name, email, and phone number that will be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger language is broad enough to activate on general acupuncture-related requests without clearly constraining the skill to booking workflows. That can cause the agent to invoke an external MCP service unexpectedly, leading to unintended data sharing or transactional actions in contexts where the user only wanted information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill includes collection and transmission of customer name, email, and phone number to a third-party booking endpoint without any documented user warning, consent step, or privacy notice. In a booking context this creates a real privacy risk because the agent may solicit and forward personally identifiable information before the user understands where it is going.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal