Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
CEORater
Security checks across malware telemetry and agentic risk
Overview
CEORater is a disclosed, read-only API skill for CEO analytics; the main consideration is that it uses your CEORater API key and sends lookup/search requests to CEORater.
Install if you intend to use CEORater and are comfortable providing a dedicated CEORATER_API_KEY. Treat the key like a password, avoid exposing it in logs or shared config, and remember that broad finance queries may route through this paid API.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)
Vague Triggers
Medium
- Confidence
- 95% confidence
- Finding
- The triggers include generic phrases such as "CEO performance," "CEO score," "CEO rating," "executive performance," and especially "TSR" and "total stock return," which can arise in ordinary finance discussions without a clear intent to invoke this specific skill. The manifest does not provide narrower scope constraints or negative examples to distinguish when the skill should activate versus when it should not.
External Transmission
Medium
- Category
- Data Exfiltration
- Content
### Get CEO by Ticker ```bash curl -H "Authorization: Bearer $CEORATER_API_KEY" \ "https://api.ceorater.com/v1/ceo/AAPL?format=raw" ``` ### Search CEOs
- Confidence
- 50% confidence
- Finding
- https://api.ceorater.com/
External Transmission
Medium
- Category
- Data Exfiltration
- Content
### Search CEOs ```bash curl -H "Authorization: Bearer $CEORATER_API_KEY" \ "https://api.ceorater.com/v1/search?q=technology&format=raw" ``` ### List All CEOs
- Confidence
- 50% confidence
- Finding
- https://api.ceorater.com/
External Transmission
Medium
- Category
- Data Exfiltration
- Content
### List All CEOs ```bash curl -H "Authorization: Bearer $CEORATER_API_KEY" \ "https://api.ceorater.com/v1/ceos?limit=100&format=raw" ``` ### Get Metadata (live record count + last refresh timestamp)
- Confidence
- 50% confidence
- Finding
- https://api.ceorater.com/
External Transmission
Medium
- Category
- Data Exfiltration
- Content
### Get Metadata (live record count + last refresh timestamp) ```bash curl -H "Authorization: Bearer $CEORATER_API_KEY" \ "https://api.ceorater.com/v1/meta" ``` ## Usage Instructions
- Confidence
- 50% confidence
- Finding
- https://api.ceorater.com/
VirusTotal
66/66 vendors flagged this skill as clean.