vue-latest-changelog

Security checks across malware telemetry and agentic risk

Overview

This skill fetches Vue’s public changelog from GitHub and saves one local markdown file, matching its stated purpose.

Before running it, confirm you are comfortable making an outbound request to GitHub and writing or overwriting assets/latest_changelog.md in the current project. Review the short script if desired, and make sure the assets directory exists so the write succeeds.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill instructs the agent/user to run a Node.js script that fetches data from Vue's GitHub repository, which is a network-capable action, but the skill metadata does not declare any corresponding permission. Undeclared network access reduces transparency and can bypass expected security review controls, making it easier for a seemingly simple documentation skill to trigger outbound requests.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script silently retrieves remote content from GitHub and writes it to a local file without any user notification, confirmation, or integrity check. In an agent-skill context, this creates a supply-chain and transparency risk: remote content can change unexpectedly, and local files are modified as a side effect that the user may not anticipate.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal