Book Dance Lessons

Security checks across malware telemetry and agentic risk

Overview

This is a simple disclosed booking skill for dance lessons, with normal privacy considerations because bookings send contact details to an external service.

Install only if you are comfortable using Lokuli for dance-lesson search and booking. Before creating any booking, confirm the provider, service, time, and contact details, and share only the information needed for the reservation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger text is broad enough to activate on essentially any request related to dance lessons, which can cause the agent to invoke this skill in situations where the user only wants general information rather than a third-party service workflow. In that context, the skill may steer the conversation toward external search and booking actions unnecessarily, increasing the chance of unintended data sharing or transactional behavior.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill supports create_booking with customer name, email, and phone sent to an external MCP endpoint, but the description does not warn that personal contact data will leave the agent environment. Users may provide sensitive information without informed consent, and broad triggering makes this more dangerous because the skill could engage before the user understands they are interacting with a third-party booking service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal