Lokuli Service Booking

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local-service booking helper, but users should be careful because booking requires sharing contact details with Lokuli and using a Stripe payment link.

Install only if you trust Lokuli for service booking. Before approving a booking or cart, verify the provider, service, time, price, cancellation terms, contact details being shared, and the Stripe checkout destination.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger scope is broad enough to activate on vague 'local service' requests, which can cause the agent to enter a booking and data-collection flow when the user did not clearly intend to use this third-party service. In this context, over-triggering is more dangerous because the skill can progress toward sharing location and personal contact details with an external booking endpoint.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs collection of name, email, phone, ZIP, and booking details for transmission to a third-party MCP service, but it does not warn the user that this information will be shared externally. That omission undermines informed consent and increases privacy risk, especially because the workflow culminates in booking creation and payment-link generation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal