Back to skill

Security audit

anyshare-contract-rule-review

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AnyShare contract-review workflow, but users should treat contract uploads, stored reports, tokens, and generated share links as sensitive.

Install only if you are comfortable uploading the chosen contracts to AnyShare, storing originals and review reports there, and creating share links. Use a least-privilege token if available, keep mcporter config private, verify the AnyShare account and link permissions, and delete temporary local copies or cloud reports when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly uploads local contract files to a remote AnyShare service and generates a share link, but the description does not warn users that sensitive contract contents will leave the local device and may become accessible through link sharing. For legal and commercial documents, missing privacy and confidentiality disclosure can lead to unintended exposure of highly sensitive data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SECURITY.md:37