Book Detailing

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward detailing-service booking helper that uses Lokuli’s external MCP service and does not show hidden execution, persistence, or malicious behavior.

Install only if you are comfortable using Lokuli’s external booking service. Before creating a booking, confirm the provider, service, time slot, and that your name, email, and phone number will be sent to Lokuli for the reservation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger language is broad enough to activate on generic 'detailing' requests without clearly constraining the flow to intentional booking actions. That can cause the agent to invoke an external booking/search capability unexpectedly, increasing the chance of unnecessary data sharing or unintended transactions in a context that handles service reservations.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill facilitates sending customer name, email, and phone number to an external MCP endpoint, but the description does not warn the user that their personal contact information will leave the system. In a booking context, this lack of transparency can lead to uninformed consent, privacy violations, and accidental disclosure of sensitive personal data to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal