Trust Assessment
local-booking received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Untrusted content attempts to inject instructions into LLM, Skill transmits sensitive PII to external service, Skill can initiate real-world transactions and collect PII.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted content attempts to inject instructions into LLM The 'Rules' section within the untrusted `SKILL.md` attempts to dictate the LLM's behavior (e.g., 'Never book without confirmation', 'Show pricing upfront'). This is a direct prompt injection vector, as an attacker modifying this untrusted content could manipulate the LLM's operational guidelines, potentially leading to unauthorized actions or data exposure. Move operational rules and safety guidelines for the LLM out of untrusted skill content and into the trusted system prompt or agent configuration. Untrusted content should never be used to define the LLM's core behavioral constraints. | LLM | SKILL.md:123 | |
| HIGH | Skill transmits sensitive PII to external service The `create_booking` tool requires `customerName`, `customerEmail`, and `customerPhone` as arguments. This sensitive Personally Identifiable Information (PII) is then transmitted to the external `https://lokuli.com/mcp/sse` endpoint. While this is the intended functionality of the booking skill, it represents a significant data exfiltration risk if the external service or the communication channel is compromised. Users should be fully aware of this data handling. Ensure robust security measures, data encryption, and strict data handling policies are in place for the `lokuli.com` endpoint. Users should be explicitly informed about the collection and transmission of their PII to third-party services. Consider anonymizing data where possible or using tokenization for sensitive fields. | LLM | SKILL.md:55 | |
| MEDIUM | Skill can initiate real-world transactions and collect PII The `create_booking` and `create_cart` tools grant the AI agent the ability to initiate real-world service bookings and create shopping carts, which can lead to financial transactions. The `create_booking` tool also collects sensitive PII (`customerName`, `customerEmail`, `customerPhone`). While these permissions are central to the skill's purpose, their power, combined with the untrusted nature of the 'Rules' intended to govern their use, poses a risk. Misuse or manipulation of these tools could lead to unauthorized bookings or PII exposure. Implement strong, explicit user confirmation steps *outside* of the LLM's control for any action that initiates real-world transactions or transmits sensitive PII. Ensure that the LLM's access to these powerful tools is strictly controlled and auditable. The 'Rules' governing LLM behavior should be part of the trusted system prompt, not the untrusted skill definition. | LLM | SKILL.md:55 |
Scan History
Embed Code
[](https://skillshield.io/report/f16127cb88b6d3bf)
Powered by SkillShield