Book Math Tutor

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward math-tutor booking connector, but it can send contact details to Lokuli and create a real booking.

Install only if you intend to use Lokuli for math-tutor search and booking. Before creating a booking, confirm the tutor, time slot, cost and cancellation terms if available, and make sure you are comfortable sharing your name, email, phone, and location/search details with Lokuli.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger text is broad enough to activate on generic tutoring-related requests, not just explicit booking or provider-search intents. That can cause the agent to invoke an external booking workflow in contexts where the user only wanted advice or educational help, increasing the chance of unintended data sharing or transactional actions.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill directs use of an external MCP endpoint and the booking example includes customer name, email, and phone number, but there is no disclosure that this personal information will be transmitted to a third-party service. Users may unknowingly provide sensitive contact data, creating privacy, consent, and compliance risks if the skill is triggered without clear notice.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal