AI 项目评估助手

Security checks across malware telemetry and agentic risk

Overview

This is a normal AI project evaluator, but it needs review because its API-key handling can accidentally send an OpenAI key to DeepSeek.

Install only if you are comfortable sending project ideas to the configured LLM provider. Before running it, set the provider endpoint and matching key explicitly, or unset unrelated API keys such as OPENAI_API_KEY when using the default DeepSeek endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill invokes a Python script that appears to use capabilities including environment access, file output, and network access, but the manifest does not declare any permissions or capability requirements. This creates a transparency and containment problem: users and hosting platforms cannot accurately assess what the skill may access or restrict it appropriately, increasing the risk of unintended data exposure or uncontrolled external communication.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal