Book Manicure

Security checks across malware telemetry and agentic risk

Overview

This is a simple manicure-booking skill that clearly points to an external Lokuli booking service, with privacy-relevant but purpose-aligned data sharing.

Before installing, understand that searches and bookings use Lokuli's external MCP service. Confirm the provider, service, date, time, price, cancellation terms, and consent to share your contact details before creating any booking.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger description is overly broad because it activates on "any manicure service request," which can cause the skill to be invoked without sufficient user intent for booking or external search. In a booking skill that connects to a third-party MCP endpoint, overly broad activation increases the chance of unnecessary external queries or workflow initiation based on ambiguous user requests.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill facilitates sending sensitive personal and booking data, including name, email, phone number, and potentially location-derived search data, to an external service but does not warn the user or document that transfer. This creates a meaningful privacy and consent risk because users may not realize their personal data will leave the host environment and be processed by a third-party MCP server.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal