Book Barber

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: help users find barber services and create bookings through Lokuli, with ordinary booking-related privacy considerations.

Install only if you are comfortable using Lokuli for barber appointment searches and bookings. Before creating a booking, confirm the provider, service, time, and which contact details will be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger description is broad enough to activate on generic phrases like 'find barber near me' or 'any barber service request,' which can cause the skill to run in situations where the user did not intend to initiate a third-party booking workflow. Because this skill connects to an external MCP service and can progress toward booking actions, over-triggering increases the risk of unintended data collection, external queries, and transactional confusion.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill includes a create_booking flow that collects and transmits personal data such as name, email, and phone number to an external service, but the description does not require an explicit user warning or consent step beforehand. This creates a meaningful privacy risk because users may not understand that their contact details are being shared with a third-party provider during the booking process.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal