Book Brake Service

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward brake-service booking helper that shares normal booking contact details with Lokuli when creating an appointment.

Install only if you are comfortable using Lokuli for brake-service booking. Before confirming an appointment, review the provider, time slot, and contact details being sent, and do not provide personal information unless you intend to proceed with the booking.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger language is broad enough to activate on generic 'brake-service' requests without clear constraints, which can cause the agent to invoke this skill in contexts the user did not specifically intend. In a booking workflow, unintended activation may lead to premature provider lookup or progression toward collecting/transmitting booking details to a third-party service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill includes a booking flow that transmits customer name, email, and phone number to an external MCP endpoint, but it does not warn the user that personal contact information will be collected and shared. This weakens informed consent and increases privacy and compliance risk, especially if the agent gathers and sends PII without an explicit notice and confirmation step.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal