Book Tune Up

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward booking helper for a disclosed Lokuli endpoint, with some privacy and confirmation caveats but no hidden execution or persistence.

Install only if you intend to use Lokuli for tune-up search and booking. Before a booking is created, confirm the provider, service, date, time, and that you are comfortable sending your name, email, phone number, ZIP code, and appointment details to Lokuli.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger description is broad enough that the skill could activate on vague 'tune-up' requests without clearly establishing scope, service type, or user intent. In an agent setting, overbroad routing can cause unintended tool use, expose provider search behavior, or move the conversation toward booking actions the user did not explicitly request.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill includes a create_booking flow that collects and transmits personal contact details, but it does not instruct the agent to warn the user or obtain clear consent before sending that data to a third-party MCP endpoint. This creates a privacy and compliance risk because users may not realize their name, email, and phone number are being shared externally as part of the booking operation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal