Local Booking

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate local-service booking helper that uses Lokuli and Stripe for searches, bookings, and payment links.

Before installing, understand that searches and bookings go through Lokuli, and booking creation may share your contact details and service request information with Lokuli and payment providers. Review the provider, time, price, and contact details before approving any booking or opening a checkout link.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger text is overly broad because it includes a catch-all for 'any local service request,' which can cause the skill to activate in situations the user did not clearly intend. In a booking/payment skill, over-triggering is risky because it can steer conversations toward external service calls, collection of location/contact details, and transactional flows unnecessarily.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs collection of customer name, email, and phone number and transmits them to an external booking/payment service, but it does not warn the user that this data will be shared with a third party. This creates a privacy and consent problem, especially since the same workflow also generates a Stripe checkout link, increasing exposure of personal and transactional data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal