Back to skill

Security audit

Book Moving

Security checks across malware telemetry and agentic risk

Overview

This skill connects an agent to Lokuli to search for and book moving services, with expected privacy and confirmation caveats but no evidence of hidden or malicious behavior.

Install this only if you want an agent to use Lokuli for moving-service search and booking. Before any booking is submitted, confirm the provider, date, time, price, cancellation terms, and that you are comfortable sending your name, email, phone number, and booking details to Lokuli and any connected provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger guidance is broad enough to activate on generic 'moving' requests without clear scoping or confirmation, which can cause the agent to invoke an external booking workflow in situations where the user only wanted information or unrelated help. In a transactional skill, overbroad activation increases the risk of unintended third-party data sharing and premature booking actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill includes a booking tool that sends customer name, email, and phone number to an external MCP service, but the skill description provides no warning or consent guidance about transmitting personal data off-platform. This creates a privacy and compliance risk because users may not understand that their contact information will be shared with a third-party booking provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.