Book Garage Door

Security checks across malware telemetry and agentic risk

Overview

This skill is a small, disclosed garage-door booking helper that uses Lokuli’s external MCP service and does not include executable code or hidden persistence.

Install only if you are comfortable using Lokuli as the booking provider. Before any booking is created, confirm the provider, date, time, and contact details, and expect your name, email, phone number, and booking details to be sent to Lokuli.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger text is broad enough to activate on essentially any garage-door-related request, which increases the chance the skill is invoked without clear user intent to use this specific external booking workflow. Because the skill can lead into provider lookup and booking actions, overbroad activation raises the risk of unintended tool use and unnecessary exposure of user data to a third-party MCP service.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill documents collection and transmission of customer name, email, phone number, and likely location-linked booking details to an external endpoint, but it does not warn the user about this data sharing. This is dangerous because users may provide sensitive personal information without informed consent, creating privacy, compliance, and trust risks if data is sent to a third-party service unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal