Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Content Production
Security checks across malware telemetry and agentic risk
Overview
This is a coherent content-writing and SEO helper skill with local analysis scripts and no evidence of hidden, destructive, persistent, or credential-seeking behavior.
Reasonable to install for drafting and polishing marketing content. Avoid putting secrets in marketing-context.md or drafts passed to the helper scripts, and independently verify factual claims before publishing.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)
Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 99% confidence
- Finding
- This is a clear mismatch because the declared purpose is content creation from scratch ('blank page to published-ready piece'), but the code does not generate blog posts, articles, or guides. Its primary function is evaluation and optimization of already-written content. That is materially different from an end-to-end writing pipeline. While SEO and brand voice could support content production, the implemented behavior is specifically analytical and scoring-oriented, with no drafting, outlining, or publishing-ready content generation shown.
Description-Behavior Mismatch
Medium
- Confidence
- 95% confidence
- Finding
- The manifest describes a skill for taking a topic from blank page to a publish-ready blog post, article, or guide end-to-end. This file instead performs narrow diagnostic analysis of existing text for brand voice, readability, and sentence variety, which is supportive tooling but not content production itself.
Vague Triggers
Medium
- Confidence
- 95% confidence
- Finding
- The trigger list includes broad phrases like 'help me write' and 'create content for', which are common requests that could match many unrelated writing tasks. Although some exclusion conditions are provided, these phrases are still vague enough to risk unintended invocation outside this skill's narrow long-form content-production scope.
VirusTotal
66/66 vendors flagged this skill as clean.