abe-exchange-rates

Security checks across malware telemetry and agentic risk

Overview

This appears to be a currency-rate lookup skill with a transparency issue around fallback data sources, not evidence of malware or unsafe control of the user’s system.

Install only if informational exchange-rate lookup is acceptable for your use case. Do not rely on the output for compliance, accounting, trading, or source-specific pricing decisions unless the skill clearly reports which provider supplied each rate.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill advertises XE.com-sourced exchange rates, but if scraping fails it silently switches to a different provider. This is a real integrity and transparency issue because callers may rely on the stated source, pricing methodology, or legal/compliance characteristics of XE, while actually receiving data from another service without notice.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal