Book Inspection

Security checks across malware telemetry and agentic risk

Overview

This Lokuli inspection-booking skill is not malicious, but it needs review because it can send contact details to an external service and create bookings without explicit consent guidance.

Install only if you intend to use Lokuli for inspection booking. Before any booking, require the agent to confirm the provider, service, date/time, contact details, and that your personal information will be sent to Lokuli.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manifest trigger phrase is overly broad and can cause the skill to activate for loosely related 'inspection' requests outside the user's actual intent. That increases the chance of inappropriate tool use or premature routing into a booking workflow, especially because the skill can progress toward searching providers and creating bookings through an external MCP service.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill includes a booking flow that transmits personal contact data (name, email, phone) to an external MCP endpoint, but it does not warn the user or require explicit consent before collecting and sending that information. This creates privacy and compliance risk because users may not understand that their PII will be shared with a third-party service when a booking is made.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal