Chefpad

Security checks across malware telemetry and agentic risk

Overview

ChefPad is a local recipe manager, but its executable script handles recipe text unsafely enough that crafted input could run local code.

Review this version before installing. The local recipe storage is disclosed and reasonable, but do not pass recipe text, ingredients, or search terms from untrusted sources until the publisher fixes input handling by using argv, environment variables, or JSON-safe serialization instead of interpolating strings into Python code.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill's advertised purpose does not match its documented behavior: it omits local file storage in the user's home directory and claims grocery list and meal-planning functionality that is not actually implemented. This mismatch can mislead users and security tooling about what the skill will do, reducing informed consent and making unexpected data persistence more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal