Book Extensions

Security checks across malware telemetry and agentic risk

Overview

This is a simple booking helper for Lokuli, with the main caution that it can send contact details to an external service when creating a booking.

Install this only if you want an agent to help search and book extension services through Lokuli. Before any booking is created, confirm the provider, service, date, time, and exact contact details, and share only information you are comfortable sending to Lokuli.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger text is broad enough to match generic 'extensions' requests without clearly constraining the domain to salon or beauty services. That can cause unintended invocation, leading the agent to route unrelated user queries into an external booking workflow and potentially solicit or transmit data in the wrong context.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill describes booking through an external MCP endpoint and the example booking payload includes personal data such as name, email, and phone number, but there is no user-facing warning or consent language about sending that information to a third-party service. This creates a real privacy and data-handling risk because users may unknowingly provide sensitive contact information that is then transmitted off-platform.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal