Tinyfish Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward TinyFish web-search integration that discloses its API key requirement and network use.

Install only if you trust TinyFish with your search queries and are comfortable storing TINYFISH_API_KEY in the agent environment. The skill is not doing hidden local access or persistence, but hosts should ideally expose its network and shell/curl behavior in permissions metadata.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill instructs the agent to execute shell commands and make outbound network requests, but it declares no permissions/capabilities to reflect that behavior. This creates a transparency and policy-enforcement gap: a host may allow installation or execution under the assumption the skill is non-executing, while the skill actually uses shell and transmits a secret API key in an HTTP header to an external service.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal