ClawHub

Book Roofing

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is purpose-aligned for finding and booking roofing services through Lokuli, but users should confirm before sending contact details or creating a booking.

Install only if you intend to use Lokuli for roofing service search or booking. Before any booking is submitted, confirm the provider, service, date and time, price or estimate, cancellation terms, and that you agree to send your name, email, and phone number to Lokuli or the provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger scope is overly broad because it claims to activate on 'any roofing service request,' which can cause the skill to engage in situations where the user is only seeking general information rather than intending to search or book. In this skill, that matters because activation can lead users into an external booking flow and eventual disclosure of personal data to a third-party MCP service without sufficiently clear intent boundaries.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill documents collection and transmission of customerName, customerEmail, and customerPhone to an external endpoint but provides no user-facing warning or consent guidance. This is dangerous because users may not realize their personal contact information is being sent to a third-party service, creating privacy, compliance, and trust risks if the transfer occurs without clear disclosure and confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal