Book Gutter Cleaning

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for booking gutter-cleaning, but it can create an external booking and send personal contact details without a clear final-consent step.

Install only if you are comfortable using Lokuli for gutter-cleaning search and booking. Before any booking is submitted, verify the provider, service, appointment time, price or terms if shown, and the exact name, email, and phone number that will be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger condition is broad enough to activate on essentially any gutter-cleaning request, which can cause the skill to engage before the user has clearly consented to using this specific third-party booking flow. In context, that increases the chance of premature data collection or unintended transmission of booking-related information to the external Lokuli MCP service.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill includes booking parameters for customerName, customerEmail, and customerPhone but does not warn the user that this personal data will be sent to a third-party endpoint. In a booking skill tied to an external MCP server, lack of disclosure and consent makes unintended PII exfiltration more likely and weakens user control over sensitive contact information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal