Book Waxing

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: help find and book waxing appointments through Lokuli, with no hidden code or install-time behavior found.

Before installing, consider that booking will use Lokuli's external service and may send your name, email, phone number, zip code, and appointment details there. Confirm the provider, time, and contact details before asking the agent to create a booking.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger language is broad enough to activate on nearly any waxing-related request without clear boundaries, which can cause the skill to engage when the user did not explicitly intend to start a third-party booking workflow. In this skill, unintended activation is more concerning because it leads into provider lookup and eventual transmission of booking-related personal data to an external MCP endpoint.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill demonstrates collection and transmission of customer name, email, and phone number to a third-party booking service but provides no user-facing warning, consent step, or data-handling notice. This is dangerous because users may unknowingly disclose sensitive personal contact information to an external service, creating privacy, compliance, and trust risks if the booking is initiated without explicit informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal