Back to skill

Security audit

Book Music Lessons

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward music-lesson booking helper, with the main caution that booking sends contact details to Lokuli's external service.

Install only if you are comfortable using Lokuli as the booking provider. Before creating a booking, confirm the provider, lesson, time slot, and the exact contact details that will be sent externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger language is broad enough to match generic requests like finding or booking services, which can cause the skill to activate when the user did not specifically intend to use this provider or service flow. In a booking context, unintended invocation is more dangerous because the skill can lead users into external search and reservation actions that may collect or transmit personal data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill includes a booking flow that sends customer name, email, and phone number to an external MCP endpoint, but the description does not warn the user that this personal information will be transmitted off-platform. In a service-booking skill, omission of this disclosure creates a privacy and consent risk because users may provide sensitive contact details without understanding where they are going.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.