Book Car Wash

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward car-wash booking skill that uses Lokuli’s external service and may submit contact details when creating a booking.

Install only if you are comfortable using Lokuli as the third-party booking service. Before creating a booking, confirm the provider, service, time slot, any price or cancellation terms shown, and the name, email, and phone number that will be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill facilitates a booking flow that explicitly sends customerName, customerEmail, and customerPhone to an external MCP endpoint, but the description does not warn the user that their personal contact information will be transmitted off-platform. This creates a real transparency and privacy issue because users may provide sensitive contact data without informed consent or understanding of the external recipient.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal