Book Photographer

Security checks across malware telemetry and agentic risk

Overview

This is a simple photographer booking skill that clearly points to Lokuli, though users should confirm before sending contact details or creating a booking.

Install only if you are comfortable using Lokuli for photographer booking. Before any booking is created, verify the provider, date, time, price or commitment terms, and confirm that your name, email, phone number, and scheduling details may be sent to Lokuli.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger description is broad enough to activate on generic photographer-related requests, not just explicit booking intent. In a transactional skill, unintended invocation can cause the agent to steer users into an external booking workflow or collect booking parameters when the user may only be asking for advice, recommendations, or general information.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill facilitates sending personal contact information such as name, email, and phone number to an external MCP endpoint, but the description does not warn the user about this data transfer. In a booking context, this increases privacy and consent risk because users may not realize their PII will be transmitted to a third-party service when completing the workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal