Book Color

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward booking integration for color services, with expected third-party booking data flow and no evidence of hidden execution or abuse.

Install this only if you are comfortable with booking requests and contact details being sent to Lokuli. Before finalizing any booking, review the service, time, location, and contact information, and confirm that you want the appointment created.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manifest description uses broad trigger language such as applying to any 'color service request,' which can cause the skill to be invoked in situations broader than the user likely intended. Overly broad routing increases the chance that user requests and related data are sent to an external MCP service unnecessarily, creating privacy and consent risks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill includes a booking flow that collects and transmits personal data including customer name, email, and phone number to a third-party endpoint, but it provides no user-facing warning or consent language. This is dangerous because users may not realize their personal information will be shared externally, creating privacy, compliance, and trust risks.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal