Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Open Exchange Rate
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it says: it fetches public currency exchange rates and converts amounts without accessing local files, credentials, or persistent state.
Install this if you are comfortable with currency lookup requests being sent to open.er-api.com. Ensure Python 3 and the requests package are available before using the scripts.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)
VirusTotal
64/64 vendors flagged this skill as clean.