Book Party

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: help book party services through Lokuli, with expected external sharing of booking/contact details.

Install only if you are comfortable using Lokuli for party-service booking. Before creating a booking, confirm the details and understand that your contact information and booking details may be sent to the external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger description is broad enough to match generic party-related requests, which can cause the skill to activate when the user did not specifically intend to use this external booking workflow. Because the skill connects to a third-party MCP endpoint, unintended invocation increases the chance of unnecessary data sharing or actions being routed to an external service without clear user awareness.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill includes a booking operation that transmits personal contact details such as name, email, and phone number to an external service, but it does not warn the user or require explicit consent before sharing that data. In a booking context this makes the issue more dangerous, because the workflow naturally solicits sensitive personal information and could send it off-platform without the user clearly understanding where it is going.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal