Book Dog Trainer

Security checks across malware telemetry and agentic risk

Overview

This skill appears legitimate, but it can send your contact details to Lokuli and create a real booking without clear confirmation instructions.

Install only if you trust Lokuli for dog-trainer bookings. Before using it, require the agent to show the provider, service, time, price or terms if available, and exact contact details, then ask for explicit approval before creating a booking or sending personal information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger language is broad enough to activate on generic dog-trainer-related requests without clear constraints, which can cause the skill to run in situations the user did not intend. Because the skill can search providers and proceed toward booking, over-triggering increases the chance of unintended third-party contact, data handling, or transactional actions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill handles booking by transmitting customer name, email, and phone number to an external MCP service, but the description does not explicitly warn the user that personal contact data will be shared with a third party. This creates a privacy and consent risk, especially if users invoke the skill expecting general information rather than a transactional workflow involving external data disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal