Book Pressure Washing

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward pressure-washing booking helper, but users should confirm before sending contact details or creating a booking.

Before using this skill, make sure the agent shows the provider, service, date/time, cost or terms if available, and the exact contact details it will send to Lokuli. Only approve create_booking when you intend to book and are comfortable sharing that information with Lokuli and the selected provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger text is broad enough to activate on essentially any pressure-washing-related request, which can cause the skill to run when the user is only asking for general information rather than intending to book. In a booking skill tied to an external MCP endpoint, over-triggering increases the chance of unnecessary external queries and premature progression toward a transactional flow.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill facilitates sending customer name, email, and phone number to a third-party MCP service, but the description provides no user-facing warning or consent cue about this data transfer. That creates a meaningful privacy and compliance risk because users may disclose personal contact information without understanding it will be transmitted externally for booking.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal