Book Haircut

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: helps book haircut appointments through Lokuli, with no evidence of hidden code or unrelated access.

Install only if you are comfortable using Lokuli as the external booking provider. Before creating a booking, confirm the appointment details and that you want your name, email, and phone number sent to Lokuli.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger phrase 'any haircut service request' is overly broad and can cause the skill to activate for loosely related salon or grooming queries without clear user intent to search or book through this external service. Because the skill can lead into booking flows and external data transmission, unintended activation increases the chance of privacy-impacting or confusing actions.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill facilitates sending personally identifiable information, including name, email, and phone number, to an external MCP service but does not disclose that data transfer in its description or usage guidance. This creates a meaningful privacy and consent risk because users may not realize their contact details are being transmitted off-platform to complete a booking.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal