Back to skill

Security audit

Book Tailor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed tailor-booking helper that uses Lokuli’s external MCP service, with privacy cautions but no evidence of hidden or malicious behavior.

Install only if you trust Lokuli and the tailor providers involved. Before creating a booking, confirm the provider, service, appointment time, and the exact name, email, and phone number that will be sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger description is broad enough to activate on generic tailor-related requests, not just explicit booking intent. That can cause the agent to invoke an external booking/search workflow when the user may only be asking for advice, which increases the chance of unintended third-party interaction and data flow.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill documents collection and transmission of customer name, email, and phone number to an external MCP endpoint but does not warn users or require explicit consent. This creates a meaningful privacy and compliance risk because sensitive contact data may be shared with a third party unexpectedly during booking.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.