Grant Proposal Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward local grant-writing helper with disclosed, user-directed file input and output and no evidence of hidden network, credential, persistence, or destructive behavior.

Install only if you are comfortable running a local Python document helper. Use deliberate input and output paths, avoid reviewing unrelated sensitive files, and be aware that the script can overwrite any output path you provide. VirusTotal was still pending, but the inspected artifacts do not show behavior requiring Review.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation describes local file read and write behavior via --input and --output parameters, but no explicit permissions are declared. This creates a policy and enforcement gap: consumers or runners of the skill may underestimate its filesystem access and fail to sandbox or restrict paths appropriately, increasing the risk of reading sensitive local files or overwriting unintended files if the implementation is lax.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal