Back to skill

Security audit

Meow Finder

Security checks across malware telemetry and agentic risk

Overview

Meow Finder is a simple command-line catalog search tool with ordinary npm installation risk but no evidence of hidden access, data theft, persistence, or destructive behavior.

Install it only if you trust the npm/GitHub publisher and are comfortable with normal global npm package risk. The reviewed runtime behavior is local catalog search, but the dependency list could be tightened by pinning versions and removing unused packages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Low
Confidence
76% confidence
Finding
The README describes the tool as a "fast, offline CLI tool" at L05, which suggests operation without network dependency. However, the documented installation flow uses npm and git over the network at L10 and L16, so the documentation overstates the tool's offline nature in a way that contradicts actual usage expectations.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"url": "https://github.com/abgohel/meow-finder"
  },
  "dependencies": {
    "commander": "^12.0.0",
    "node-fetch": "^3.3.0",
    "chalk": "^5.3.0"
  }
Confidence
40% confidence
Finding
"commander": "^12.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "commander": "^12.0.0",
    "node-fetch": "^3.3.0",
    "chalk": "^5.3.0"
  }
}
Confidence
40% confidence
Finding
"node-fetch": "^3.3.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "commander": "^12.0.0",
    "node-fetch": "^3.3.0",
    "chalk": "^5.3.0"
  }
}
Confidence
40% confidence
Finding
"chalk": "^5.3.0"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.