Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Timemap
Security checks across malware telemetry and agentic risk
Overview
Timemap is a read-only public venue search skill that runs a local Python script, queries timemap.co.il, and caches public data temporarily.
This is reasonable to install if you want an agent-accessible Timemap search tool. Be aware that using it runs a local Python script, makes network requests to timemap.co.il, and stores a temporary cache of public venue data; the underlying community-curated data may be incomplete or inaccurate.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Natural-Language Policy Violations
Low
- Confidence
- 78% confidence
- Finding
- The README repeatedly states that search works in Hebrew or English and all examples are limited to those languages, which can be read as a language constraint for use of the skill. Because the policy requires language or locale constraints to be opt-in or clearly justified, this should be documented as a dataset-specific limitation rather than an implicit requirement.
VirusTotal
66/66 vendors flagged this skill as clean.