Book Driving Lessons

Security checks across malware telemetry and agentic risk

Overview

This is a small driving-lesson booking helper that uses Lokuli’s external service and has expected contact-info sharing, with no hidden code, install hooks, or persistence.

Install only if you are comfortable using Lokuli for driving-lesson search and booking. Before any booking is created, review the provider, service, time slot, name, email, and phone number, and confirm that you want those details sent to Lokuli.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger condition is broad enough to activate on generic service-seeking language such as finding or booking driving lessons, without clear constraints around user intent confirmation. Overbroad activation increases the chance the skill is invoked when the user did not explicitly consent to using this external booking flow, which can lead to unintended data sharing or transactional actions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill includes a booking flow that collects and transmits personal contact details such as name, email, and phone number to a third-party MCP endpoint, but it does not warn the user beforehand or describe that this data will be shared externally. In a booking context, this creates a meaningful privacy and consent risk because users may provide sensitive contact information without understanding where it is going.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal