Book Videographer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: help search, check availability, and book videographer services through Lokuli, with normal booking-related personal details involved.

Install only if you are comfortable using Lokuli as a third-party booking service. Before creating a booking, review the details being sent, especially your name, email, phone number, location, schedule, and service preferences.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manifest description uses broad trigger language such as 'any videographer service request,' which can cause the skill to activate in situations where the user did not clearly intend to use this third-party booking workflow. Because the skill connects to an external MCP endpoint and can lead to booking actions, over-triggering increases the risk of unintended data sharing or transactional actions.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill documentation shows collection and transmission of personal contact information including name, email, and phone number to an external booking service, but does not warn the user that this data will leave the local system. In a booking context, users may reasonably not expect silent third-party transmission of PII, creating privacy, consent, and compliance risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal