Book Web Developer

Security checks across malware telemetry and agentic risk

Overview

This booking skill appears purpose-aligned, but it may send customer contact details to an external booking service without enough clear notice or confirmation.

Before installing, confirm you are comfortable sending booking requests and contact details to Lokuli. Use it only when you intend to book or check availability, and avoid providing phone or email until the agent clearly explains what will be sent and asks for confirmation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger language is broad enough to activate on generic requests related to finding or booking a web developer, which can cause the skill to engage outside a clearly consented booking workflow. In a skill that connects to an external service and can progress toward booking actions, overbroad activation increases the risk of unintended tool use and inappropriate sharing of user context.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill collects and sends customer name, email, and phone number to Lokuli's external MCP service, but it does not clearly disclose that this personal data will be transmitted off-platform. This creates a meaningful privacy and consent risk because users may provide sensitive contact information without understanding who receives it or for what purpose.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal