Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Security checks across malware telemetry and agentic risk
Overview
This is a local Instagram caption and strategy helper with only optional local draft storage and no evidence of account access, posting, automation, or data exfiltration.
Before installing, understand that caption drafts can be saved locally and will remain there until removed. Avoid saving sensitive draft text if local workspace memory is shared or backed up. Instagram publishing and account actions remain manual.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)
Vague Triggers
Medium
- Confidence
- 91% confidence
- Finding
- The trigger "fix my carousel" is ambiguous because it does not specify Instagram or content-strategy context, and could overlap with unrelated design or UI help requests. The manifest does not provide exclusion conditions or negative examples to narrow when this skill should activate.
VirusTotal
65/65 vendors flagged this skill as clean.