Book Wedding

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for wedding bookings, but it needs review because it can send contact details to an external service and create real bookings without clear confirmation safeguards.

Install only if you are comfortable using Lokuli for wedding-service search and booking. Before allowing a booking, require the agent to confirm the provider, service, date and time, cost or deposit, cancellation terms, and the exact contact details that will be sent to Lokuli.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger description is broad enough to match generic wedding-related requests, which can cause the skill to activate when the user only wants information rather than a booking workflow. Because this skill connects to an external MCP endpoint and supports booking actions, unintended invocation increases the chance of unnecessary data sharing or accidental transactional steps.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill documents transmission of sensitive personal data such as name, email, phone number, and booking details to an external endpoint, but it does not warn the user or require explicit consent before sending that data. In a booking context, this creates a meaningful privacy and compliance risk because users may not realize their personal information is being shared with a third-party service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal