Back to skill

Security audit

Book Electrician

Security checks across malware telemetry and agentic risk

Overview

This is a coherent electrician-booking skill, but it can send contact details and create a real external booking without clear consent or confirmation guardrails.

Install only if you intend to use Lokuli for electrician bookings. Before creating any booking, confirm the provider, service, time, cost or cancellation terms if available, and the exact name, email, and phone number that will be sent to the external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger language is broad enough to activate on generic electrician-related requests without clearly constraining scope to booking intent. This can cause the agent to invoke an external booking workflow prematurely, increasing the chance of unintended third-party requests or collection of user data in contexts where the user only wanted information or advice.

Missing User Warnings

High
Confidence
97% confidence
Finding
The booking flow sends personal contact data such as name, email, and phone number to an external MCP service, but the skill description does not disclose this data transfer or prompt for informed user consent. In a booking context, this is especially sensitive because users may not realize their PII is being transmitted off-platform to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.