Book Meditation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: help users search and book meditation services through Lokuli, with normal privacy considerations for a booking flow.

Install only if you are comfortable using Lokuli as the booking provider. Use it for explicit provider search, availability checks, or booking requests, and confirm before sending your name, email, phone number, zip code, or appointment details to the external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger scope is broad enough to activate on generic meditation-related requests without clearly constraining when the booking skill should run. That increases the chance the agent invokes an external booking workflow prematurely, which can lead to unintended data sharing or transactional actions based on ambiguous user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill facilitates sending personal contact information such as name, email, and phone number to a third-party MCP endpoint, but it does not disclose this to the user or require an explicit warning/consent step. In a booking context, this makes unintended disclosure of personal data more likely if the agent proceeds without the user understanding what will be transmitted externally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal