Book IT Support

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: use Lokuli to search availability and book IT support, with ordinary booking privacy caveats.

Install if you want Lokuli-based IT support booking. Before creating a booking, confirm the provider, service, time slot, and that your name, email, and phone number will be shared with the external booking service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger description is broad enough to match general IT-support requests, which can cause the skill to activate in situations where the user did not clearly intend to use this booking workflow. That can lead to premature routing into a third-party booking flow and unnecessary collection or transmission of user data to the Lokuli MCP service.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill includes booking parameters for customer name, email, and phone number but provides no warning, consent step, or data-handling notice before those personal details are collected and sent to an external MCP endpoint. In context, this is more dangerous because the skill is explicitly designed to transmit PII to a third-party service during booking, making accidental over-collection or uninformed disclosure more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal