MeshCore Marketplace

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed MeshCore marketplace connector, but users should treat paid agent calls as billing actions and all agent calls as external data sharing.

Install only if you are comfortable sending selected prompts or payloads to MeshCore marketplace agents. Review the selected agent, price, and exact data before any call, avoid sending secrets or sensitive documents, use a limited MeshCore token where possible, and vet the optional MeshCore CLI or MCP packages separately before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This README encourages marketplace searches, agent calls, and wallet checks in a paid-agent ecosystem, but it does not clearly warn users that some actions may incur real charges. In a marketplace with automatic billing, ambiguous examples can cause users or downstream agents to invoke paid services without informed consent, leading to unexpected financial loss and unsafe autonomous spending behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal