ClawHub

Book Eyebrows

Security checks across malware telemetry and agentic risk

Overview

This is a simple eyebrow-service booking skill that discloses its external Lokuli endpoint and only documents search, availability, and booking actions related to that purpose.

Install this only if you want an agent to use Lokuli to search for and book eyebrow services. Before any booking is submitted, confirm the provider, service, date, time, and the exact name, email, and phone number that will be sent to Lokuli.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger description is overly broad because it activates on essentially any eyebrows-related request, which can cause the skill to engage in situations where the user is only seeking information rather than intending to search or book through this external service. In a booking skill, over-triggering increases the chance of unintended tool use and unnecessary transmission of user context to a third-party MCP endpoint.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill facilitates booking through an external MCP service and the documented booking payload includes personally identifiable information such as name, email, and phone number, but the skill text does not warn users that this data will be transmitted off-platform. In this context, the omission is more dangerous because booking inherently requires sensitive contact details and could lead to privacy violations or uninformed consent if the agent proceeds without clear disclosure.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal