Back to skill

Security audit

Concept Explainer

Security checks across malware telemetry and agentic risk

Overview

This is a simple local medical-concept explainer that runs a disclosed Python script and only writes a file when the user asks it to.

Safe to install for educational explanations. Treat the medical content as general education, not clinical advice, and use the output option only with a deliberate workspace filename.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes file-write capability via the `--output` parameter and notes that output files are saved to the workspace, but no explicit permissions are declared. This creates a governance and containment gap: downstream systems may treat the skill as lower risk than it is, and if path validation is weak, the tool could overwrite unintended files within the execution environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.