Nmap Pentest Scans

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Nmap planning skill, but it generates runnable shell commands with the target inserted unsafely, so a crafted target could cause unintended command execution if an agent runs them.

Install only if you will use it for systems you are authorized to test. Do not let an agent automatically run generated commands from untrusted or loosely validated target input; review the command list first, use plain hostnames/IPs/CIDRs, and write outputs to a dedicated directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill advertises and produces multiple output artifacts, which implies file-writing capability, but it does not declare permissions for that behavior. Undeclared write access is dangerous because agents or reviewers may authorize the skill under incomplete assumptions, enabling it to create or overwrite files in the workspace without explicit consent boundaries.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal