Back to skill

Security audit

Book Laundry

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: helps users search for and book laundry services through Lokuli, with ordinary booking privacy considerations.

Install this only if you are comfortable using Lokuli for laundry booking. Before creating a booking, confirm the provider, date, time, and the exact name, email, and phone number that will be sent to Lokuli.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs use of an external MCP endpoint to create bookings and includes collection/transmission of personal data fields such as customer name, email, and phone number, but it provides no user-facing warning or consent step before sending that data off-platform. This creates a privacy and compliance risk because users may not realize their personal information is being disclosed to a third-party service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.