Date Calculator

Security checks across malware telemetry and agentic risk

Overview

The skill appears to have a normal user-directed JSON output feature, with the main caution that output paths should be chosen carefully.

Install if you are comfortable with the skill writing a JSON output file when you request it. Use a dedicated workspace output path, avoid pointing `--output` at important existing files, and review the generated file before sharing it.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation indicates file-writing capability via the `--output` parameter and explicit JSON output file behavior, but no declared permissions are present. This creates a mismatch between documented capabilities and permission metadata, which can lead to unsafe execution assumptions and unauthorized file creation or overwriting in environments that rely on declarations for policy enforcement.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The markdown advertises writing output JSON files but does not warn that specifying an output path may create or overwrite files. In practice this can cause accidental data loss or unsafe operator behavior, especially because the skill already acknowledges file system access and includes an output path parameter.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal