Book Braids

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent booking integration for braids appointments, with expected external service use and customer contact details, but users should understand what personal data is sent before confirming a booking.

Install only if you are comfortable using Lokuli for braid appointment booking. Before confirming a booking, verify the provider, time, price, and that the agent will send your name, email, phone number, and appointment details to Lokuli.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger description is broad enough to activate on general braids-related requests, not just explicit booking or provider-search intents. That can cause the skill to engage in contexts where the user did not intend to contact an external service, increasing the chance of unnecessary data collection, confusing tool use, or premature booking flows.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill facilitates sending personal data such as name, email, phone number, and appointment details to an external MCP endpoint, but it does not warn the user that this information will leave the system. In a booking context, this omission is risky because users may disclose sensitive contact and scheduling data without informed consent or understanding of the third-party transfer.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal