Grant Budget Justification

Security checks across malware telemetry and agentic risk

Overview

This is a simple local grant-budget text generator; its main risk is that it can write an output file and overwrite a user-chosen path.

Install only if you are comfortable running a local Python script. Use it in a project workspace, choose the output path carefully because existing files may be overwritten, and avoid placing sensitive proposal budget details in locations you do not intend to persist.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill metadata and content indicate file-writing capability via the `--output` parameter and statements that output files are saved to the workspace, yet no explicit declared permissions are present. This creates a trust and enforcement gap: users or platforms may assume the skill is less capable than it is, increasing the risk of unintended file modification or overwrite if path handling is weak.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The markdown states that the skill can write output to a file and save data to disk, but it does not prominently warn users that running the skill may modify the filesystem. Even if intended behavior is benign, insufficient disclosure can lead to accidental overwrites, unexpected persistence of sensitive budget information, or unsafe use in automated environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal