Book Towing

Security checks across malware telemetry and agentic risk

Overview

This is a simple towing-booking skill that clearly uses Lokuli’s external service, with privacy and confirmation cautions but no evidence of hidden or malicious behavior.

Install only if you are comfortable using Lokuli for towing bookings. Before creating a booking, confirm the provider, time slot, contact details, cost or cancellation terms, and that you want your contact information shared for the service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger description is broad enough to activate on generic towing-related requests without clear constraints or confirmation boundaries. That can cause unintended invocation of a booking-capable skill, increasing the chance the agent moves prematurely from discovery into transactional flow or starts collecting user/location/contact details when the user only wanted information.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill shows a booking operation that transmits personal data such as name, email, and phone number to an external MCP endpoint, but it does not instruct the agent to warn the user or obtain clear consent first. In this context, the risk is heightened because towing may be used in urgent situations where users may not realize their personal contact data is being sent to a third-party service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal