Book Alignment

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple booking helper that discloses its Lokuli MCP endpoint and the contact details used for bookings, with privacy considerations users should review.

Install only if you are comfortable using Lokuli's external service for alignment booking. Before allowing a booking, review the provider, service, date, time, and the exact name, email, and phone number that will be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger language is broad enough to activate on generic 'alignment service' requests without clearly constraining scope or requiring confirmation that the user intends to use Lokuli. In a booking skill that can search providers and create reservations, overbroad triggering can cause unintended routing into a third-party transactional workflow and increase the chance of unnecessary data disclosure or unauthorized booking steps.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill collects and transmits personal contact information such as name, email, and phone number to an external MCP endpoint, but the description does not disclose this data flow or obtain informed user consent. In a booking context, this is especially risky because users may not realize their PII is being sent to a third-party service, creating privacy, compliance, and trust concerns if mishandled or shared unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal