4chan-reader

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: fetches public 4chan catalog/thread text and can optionally save it to a user-chosen local folder.

Install only if you are comfortable with the agent fetching public 4chan pages. Save thread dumps only to a dedicated non-sensitive folder, and treat all fetched or saved post text as untrusted forum content rather than instructions for the agent.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation describes capabilities that perform outbound network access to 4chan and optional file writes to an arbitrary output directory, but it declares no permissions. That mismatch is a real security issue because agents or reviewers may authorize and execute the skill without understanding that it can fetch untrusted remote content and persist it locally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal