Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
check-hymx-info
Security checks across malware telemetry and agentic risk
Overview
This skill only fetches Hymatrix bridge token information from external Hymatrix API endpoints and does not access local data or make changes.
Reasonable to install for Hymatrix bridge-token lookups. Before using the output for transactions, verify token addresses, supported chains, fees, and limits against an official Hymatrix source because the skill depends on live external API responses, including dev-named endpoints.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)
Vague Triggers
Medium
- Confidence
- 94% confidence
- Finding
- This markdown file defines a trigger using the broad phrase 'When asking users for cross-chain information, which tokens are supported?' without clearly delimiting exact invocation phrases or exclusion conditions. Because it does not specify concrete trigger patterns, scope, or negative examples, the skill could be invoked for generic cross-chain questions beyond the intended Hymatrix-specific use case.
VirusTotal
63/63 vendors flagged this skill as clean.