Book Beauty

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple booking helper for beauty services, with expected external service use and no evidence of hidden execution or persistence.

Install only if you are comfortable using Lokuli's external service for beauty searches and bookings. Before approving any booking, verify the provider, service, time, price, and that you are comfortable sharing your contact details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger description is broad enough to activate on generic beauty-related requests, which can cause the skill to engage when the user may only be seeking information rather than wanting to search or book through a third-party service. In this context, unintended invocation matters because the skill is connected to an external booking endpoint and can lead to unnecessary data collection or premature transactional flows.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The workflow and booking examples show transmission of personal data such as name, email, and phone number to an external MCP service, but the skill does not warn the user about this data sharing before the booking flow. This reduces informed consent and increases privacy risk, especially because beauty bookings often involve location and scheduling details tied to identifiable individuals.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal