Back to skill

Security audit

Keyword Velocity Tracker

Security checks across malware telemetry and agentic risk

Overview

The available evidence shows dependency hygiene issues but no artifact-backed malicious, deceptive, persistent, or data-exfiltrating behavior.

Before installing, review the actual SKILL.md and any scripts, pin or update dependencies, and install in an isolated environment if you need to run it. I did not find artifact-backed evidence requiring a Review or malicious classification from the supplied scan signals.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
enum
numpy
Confidence
60% confidence
Finding
dataclasses

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
enum
numpy
Confidence
60% confidence
Finding
enum

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
enum
numpy
Confidence
60% confidence
Finding
numpy

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
90% confidence
Finding
numpy

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.