Trust Assessment
book-haircut received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Skill designed to transmit PII to third-party service, Reliance on external, unverified third-party endpoint.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill designed to transmit PII to third-party service The `create_booking` tool explicitly defines arguments for `customerName`, `customerEmail`, and `customerPhone`. These fields are designed to collect Personally Identifiable Information (PII) from the user and transmit it to the external endpoint `https://lokuli.com/mcp/sse`. While this is necessary for the skill's stated purpose (booking services), it represents a direct data exfiltration path for sensitive user data to a third-party service. Improper handling by the LLM (e.g., extracting excessive PII) or the third-party service could lead to privacy breaches. Implement strict validation and sanitization of user input before populating PII fields. Ensure the LLM is carefully prompted to extract only the necessary PII and nothing more. Clearly inform users about the collection and transmission of their PII. Conduct thorough due diligence on the third-party service (`lokuli.com`) regarding its data handling and security practices. | LLM | SKILL.md:57 | |
| MEDIUM | Reliance on external, unverified third-party endpoint The skill relies entirely on an external endpoint `https://lokuli.com/mcp/sse` for all its functionality. The security posture, trustworthiness, and data handling practices of this third-party service are not verifiable from the skill definition itself. A compromise of this endpoint or malicious intent by the service provider could lead to data breaches, service disruption, or other security incidents. Conduct thorough due diligence on all third-party services and their security policies. Implement robust error handling and fallback mechanisms for external API calls. Consider sandboxing or isolating interactions with external services to limit potential blast radius in case of compromise. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/b8d131adfc4f7540)
Powered by SkillShield