Chemical Structure Converter

Security checks across malware telemetry and agentic risk

Overview

This chemical conversion skill is local and purpose-aligned, though its documentation inaccurately claims no file access while showing optional file export examples.

Install only if you are comfortable with a skill that can ask the agent to run local Python and create output files such as CSV or JSON. Verify chemical results with trusted cheminformatics tools before using them for research, safety, inventory, or regulatory decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The skill's security section claims 'No file access,' but examples explicitly write JSON and CSV files to disk. This mismatch can mislead users or downstream agents into approving or invoking the skill under a false assumption about filesystem safety, increasing the chance of unintended file creation or overwrite in the working directory.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal