Back to skill

Security audit

Product Hunt Launch Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a simple Product Hunt stats checker, but its advertised Telegram alert feature is not implemented in the files reviewed.

Install only if you want a manual Node.js CLI that fetches public Product Hunt pages. Do not expect Telegram alerts unless the publisher adds that feature, and pass only real Product Hunt post URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no required permissions even though its documented behavior explicitly involves reading public Product Hunt pages, which requires network access. Undeclared network capability weakens the trust boundary and review process because hosts or users may approve the skill without understanding that it reaches external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill description promises real-time tracking and Telegram alerts, but the documented commands only provide a local CLI check/trend interface and no alerting workflow. This mismatch is dangerous because users may grant trust or deploy the skill under false assumptions, making it easier to hide undisclosed behavior or bypass proper security review of what the skill actually does.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.