Book Electrician

Security checks across malware telemetry and agentic risk

Overview

This is a coherent electrician-booking skill, but it can share contact details and create a real external booking without explicit confirmation or privacy guardrails.

Install only if you intend to use Lokuli for electrician bookings. Before any booking is created, confirm the provider, service, time, cost or cancellation terms if available, and the exact contact details that will be shared.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger text is broad enough to activate on generic electrician-related requests without clearly requiring explicit user intent to search or book a provider. In a booking skill that can lead to searches, availability checks, and eventual transmission of booking details to an external MCP service, over-triggering increases the risk of unintended third-party data sharing or transactional actions.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill includes a booking flow that sends customer name, email, and phone number to an external endpoint, but it does not specify any user-facing notice, consent step, or minimization guidance before collecting and transmitting that personal data. In this context, the omission is more dangerous because the skill is specifically designed to perform real-world bookings through a third-party MCP server, making unintentional PII disclosure plausible.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal