shrimpcard

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local workflow for turning real agent evidence into a validated share-card and HTML card, with privacy considerations around what evidence gets summarized publicly.

Install only if you are comfortable letting the skill summarize agent memories, traces, owner feedback, and saved preferences into a public-facing card. Review the generated JSON and HTML before publishing, and only attach image or URL assets you intentionally want embedded.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill instructs the agent to install dependencies and run multiple local scripts that read, write, validate, and render files, and the static analyzer also detected network capability, yet the skill declares no permissions. This creates a capability/permission mismatch: a host or reviewer may assume the skill is low-privilege when in practice it can access environment data, modify the workspace, and potentially make outbound requests through dependencies or scripts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal