Australian Business Verification

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed, read-only ABR lookup helper that uses a configured ABR GUID to query the official Australian Business Register.

Before installing, obtain the free ABR GUID yourself, keep ABR_GUID out of chat, logs, and version control, and expect the skill to send that GUID plus the queried ABN/ACN/name to abr.business.gov.au. Use the results to support supplier, invoice, GST, or onboarding checks, but do not rely on ABR status alone for fraud, payment, or legal decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs the agent to read an environment variable (`ABR_GUID`) and make outbound network requests to the ABR service, but the metadata declares no corresponding permissions. That mismatch creates a hidden capability surface: a user or reviewer may believe the skill is documentation-only or lower risk, while it can actually access secrets and transmit data externally.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal