Spec To Checklist

Security checks across malware telemetry and agentic risk

Overview

This skill is a local checklist generator that uses a disclosed Python helper to turn user-provided specs into review drafts, with no evidence of network access, credential use, persistence, or destructive behavior.

Install only if you are comfortable giving the skill the spec or requirements files you select. Avoid feeding unnecessary secrets or sensitive personal data, choose output paths deliberately because the script can write the requested report file, and treat the result as a review aid rather than evidence that testing passed.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill declares no permissions, yet its instructions explicitly allow running `python3` and imply reading local resource files and writing output files. This creates a capability/permission mismatch that can mislead operators and downstream policy engines, increasing the chance that shell execution or filesystem access occurs without appropriate review.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal