Book Laundry

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: help book laundry services through Lokuli, with ordinary booking privacy considerations but no hidden or destructive behavior found.

Install this only if you are comfortable using Lokuli for laundry booking. Before creating a booking, confirm the provider, date, time, price, and the exact name, email, and phone number that will be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger description is broad enough to activate on 'any laundry service request,' which can cause the skill to run in situations where the user did not clearly intend to use this external booking workflow. Because the skill connects to a third-party MCP endpoint and can progress toward booking actions, overbroad activation increases the risk of unintended data sharing or unintended transactional actions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill defines a booking flow that collects and transmits personal contact data such as name, email, and phone number to an external service, but it does not warn the user that this information will be shared. In a booking context, missing disclosure and consent can lead to privacy harm, uninformed data transfer, and accidental exposure of sensitive personal information to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal