Book Mechanic

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward mechanic-booking connector, but it may send your contact details to Lokuli when creating an appointment.

Install only if you are comfortable using Lokuli as an external booking service. Before creating a booking, review and confirm the mechanic, service, appointment time, name, email, and phone number that will be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger text is broad enough to activate on general mechanic-related requests, not just explicit booking intents. That increases the chance the skill is invoked when the user only wants information, causing unintended progression toward an external service workflow and possible collection/transmission of personal data without clear intent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill describes booking through an external MCP endpoint and includes fields for name, email, and phone number, but does not warn that this personal information will be sent to a third-party service. In a booking context, that omission can mislead users about data handling and prevent meaningful consent before transmitting sensitive contact details externally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal