Book Tree Service

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward tree-service booking helper that uses a disclosed external Lokuli MCP endpoint.

Install this only if you are comfortable using Lokuli as the external provider for tree-service search and booking. Before creating a booking, confirm the provider, time, service, and any contact details that will be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger description is broad enough to activate on nearly any generic tree-service request, which increases the chance the skill is invoked without clear user intent to use this specific external booking integration. In context, that can route users into an external MCP workflow and potentially progress toward sharing booking details with a third party when they may have only been seeking general information or recommendations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill facilitates sending customer name, email, and phone number to an external MCP endpoint, but the description does not disclose that personal contact data will leave the local agent context. This is dangerous because users may not realize they are consenting to third-party transmission of personally identifiable information during booking, undermining informed consent and privacy expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal