Book Piercing

Security checks across malware telemetry and agentic risk

Overview

This is a simple booking helper that discloses its Lokuli booking endpoint and expected contact fields, with privacy and confirmation points users should watch.

Install only if you are comfortable using Lokuli to search and book piercing appointments. Before allowing create_booking, confirm the studio or provider, service, date, time, and the exact name, email, and phone number that will be sent, and avoid sharing unnecessary personal information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger language is broad enough that the skill could activate on vague requests related to piercing services without clearly signaling that it will connect to an external booking provider. In a booking workflow, overbroad activation increases the chance of collecting or transmitting user details when the user only intended to browse or ask a general question.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill documents collection of customer name, email, and phone number for create_booking, but it does not warn users that this personal data will be sent to Lokuli's external MCP endpoint. This creates a meaningful privacy and consent risk because users may disclose sensitive contact information without understanding who receives it or for what purpose.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal