Book Fitness

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward fitness booking connector, but users should know it uses Lokuli’s external service and may send contact details when making a booking.

Install this only if you are comfortable using Lokuli as a third-party booking provider. Do not provide your name, email, or phone number unless you intend to make a booking, and confirm the provider, service, time, and contact details before the agent submits them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger text is broad enough to activate on generic fitness-related requests, not just explicit booking workflows. That can cause the agent to invoke an external booking skill unexpectedly, increasing the chance of unnecessary third-party data sharing or steering a user into transactional flows they did not clearly request.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill documents collection and transmission of customer name, email, and phone number to an external MCP endpoint but does not warn users about that data flow. In a booking context, this omission is dangerous because users may provide personal contact details without informed consent or understanding that the information is being sent to a third-party service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal