Book Cake

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward cake-booking skill that uses Lokuli's external service, with privacy and trigger-scope caveats users should understand.

Install this only if you are comfortable using Lokuli for cake bookings. Before creating a booking, confirm the provider, service, time, and that your contact details will be sent to Lokuli's external MCP service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger text is broad enough to activate on general cake-related queries such as discovery or informational requests, not just explicit booking intent. In an agent setting, that can cause the skill to engage prematurely and steer users into an external booking workflow they did not intend, increasing the chance of unnecessary third-party data exposure or unintended transactions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill describes a booking flow that sends customer name, email, and phone number to an external MCP endpoint, but it does not warn the user or require explicit acknowledgment before that transfer. This creates a privacy and consent risk because sensitive personal contact information may be transmitted to a third party without clear user understanding of where the data is going.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal