ClawHub

Book local services

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local-service booking helper, but users should be aware it sends booking details and contact information to external services.

Install only if you want an agent to help use Lokuli for local-service bookings. Before approving any booking or cart, verify the provider, service, price, time slot, cancellation or payment terms, and the exact contact details that will be sent to the booking and payment services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger scope is overly broad because it activates on 'any local service request,' which can cause the skill to engage for general informational queries that do not clearly imply booking intent. In a skill that can progress toward collecting personal data and initiating bookings with external providers, over-triggering increases the risk of unintended data sharing, user confusion, or steering users into transactional flows they did not request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes collecting customer name, email, phone number, and generating a Stripe checkout link, but it does not clearly disclose that this information will be transmitted to an external booking service and payment provider. In a real-world services context, that omission undermines informed consent and may cause users to reveal sensitive contact and transaction-related information without understanding where it is going.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal