Studio Booking Manager

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is a disclosed studio-booking helper, but it handles customer and payment workflows that should be deployed with privacy, authorization, and confirmation controls.

Before installing, confirm the bot authenticates customers and admins, limits access to booking history and spending stats, shows a privacy notice before collecting contact data, and requires explicit confirmation for payment, cancellation, and refund actions.

SkillSpector (2)

By NVIDIA

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the agent to collect contact details and use client history for personalization, but it provides no user-facing notice about what personal data is collected, why it is needed, how long it is retained, or who can access it. In a booking workflow that combines identity, visit history, and payment-related actions, this omission increases privacy and compliance risk and can lead to over-collection or misuse of personal data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill includes payment-link generation, invoice holds, cancellation, and refund logic, but it does not require explicit user confirmation or warn about financial side effects before initiating payment-related actions. In a Telegram bot context, this can cause unintended charges, mistaken refunds, or abuse through ambiguous callbacks and automated flows, especially when booking and payment actions are closely coupled.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal