Pipeworx amplitude

Security checks across malware telemetry and agentic risk

Overview

This Amplitude MCP skill is purpose-aligned, but it can route sensitive user profile and activity data through an external Pipeworx gateway without enough disclosure about access scope or data handling.

Install only if you trust the Pipeworx MCP gateway and have confirmed how it authenticates to Amplitude, which workspace and scopes it can access, how logs and returned user data are retained, and how to revoke access. Use it with least-privilege Amplitude permissions and avoid querying individual users unless you have a legitimate authorization basis.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill advertises user search and per-user activity retrieval capabilities that can expose profile attributes, identifiers, and behavioral timelines, but it provides no privacy guidance, access-control expectations, or data-minimization constraints. In an agent setting, this omission increases the likelihood of inappropriate querying or disclosure of personal data, especially if the tools are used on arbitrary users without clear authorization checks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal