Back to skill

Security audit

Supermetrics

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Supermetrics API helper that uses a Supermetrics API key to query marketing analytics, with no hidden persistence or unrelated network destinations found.

Install this only if you want an agent to access Supermetrics-connected marketing accounts. Use a scoped or revocable API key where possible, verify the publisher before adding credentials, and confirm the account, fields, filters, and date range before running queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares an environment variable requirement and documents Python helper functions that query an external service, which implies network access and handling of secrets, yet no explicit permissions are declared. This weakens transparency and reviewability: users and platforms may not realize the skill can read API keys and transmit account/query data off-platform.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Several triggers such as 'analytics', 'marketing data', and 'marketing report' are broad enough to match routine user requests that may not specifically intend to invoke an external Supermetrics integration. In context, that increases the chance of unintended activation, causing external data access attempts or unnecessary transmission of account-related query details to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description mentions an API key but does not clearly warn that using the skill sends marketing queries, account identifiers, and potentially sensitive analytics selections to an external Supermetrics service. This is a transparency and consent issue: users may disclose business data without understanding the third-party destination or the implications of using stored credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.