Book HVAC

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple HVAC booking connector that discloses its Lokuli endpoint and required booking fields, but users should confirm before sharing contact details or creating an appointment.

Install only if you are comfortable using Lokuli for HVAC search and booking. Before any real booking, confirm the provider, service, appointment time, and contact details, and avoid using it for general HVAC advice unless you intend to search for or schedule service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger language is broad enough to activate on general HVAC-related user requests, not just clear booking intent. That can cause the agent to route users into an external booking workflow prematurely, increasing the chance of unintended third-party data sharing or confusing actions without explicit user consent.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill instructs use of an external MCP endpoint and shows booking arguments containing customer name, email, and phone number, but does not warn that this personal data will be transmitted off-platform. In a booking context, this omission is especially risky because users may provide sensitive contact details without informed consent or understanding of where their data is going.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal