Circos Plot Generator

Security checks across malware telemetry and agentic risk

Overview

The packaged skill is a manuscript anonymizer, but its registry name advertises a Circos plot generator, so users should review it before installing.

Install this only if you want a blind-review manuscript anonymizer, not a Circos plot generator. Run it on copies of manuscripts, verify the output path before execution, install DOCX support deliberately, and manually review text, metadata, figures, and supplemental files before submission.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation explicitly instructs users to run a local Python script that reads manuscript files and writes sanitized output, but it declares no permissions for those file operations. This creates a trust and audit gap: an orchestrator or reviewer may treat the skill as lower-privilege than it actually is, increasing the chance of unintended file access or overwrite when the packaged code is executed.

Unpinned Dependencies

Low

Category: Supply Chain
Content: docx
Confidence: 95% confidence
Finding: docx

VirusTotal

39/39 vendors flagged this skill as clean.

View on VirusTotal