Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Text Tools Pro
Security checks across malware telemetry and agentic risk
Overview
This is a simple local text-processing skill with no evidence of network access, credential handling, persistence, or hidden behavior.
Safe to install for local text cleanup and basic text statistics. Be aware that several advertised tools are not included in this package, and only run it on files you intend to process because it reads the input path you provide and may write to the output path you choose.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)
Vague Triggers
Medium
- Confidence
- 94% confidence
- Finding
- This markdown file says to use the skill whenever users need to 'process, format, clean, or analyze text content' and describes it as for 'everyday text manipulation tasks.' Those triggers are extremely broad and overlap with common user requests, without any explicit scope limits or negative examples to prevent unintended invocation.
VirusTotal
65/65 vendors flagged this skill as clean.