Bitcoin Daily

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: fetch public Bitcoin development updates, summarize them, and save a local archive.

Install only if you are comfortable with a local Node script fetching public web pages and writing archives under ~/workspace/bitcoin-dev-archive. Enable the daily cron only if you want recurring summaries, and use the read command with normal YYYY-MM-DD dates.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill invokes a local Node.js script that fetches data from external sites and reads/writes archive files, but the skill metadata does not declare the required capabilities. That mismatch is a real security issue because it hides the skill's true trust boundary from the permission model and reviewers, making network access and local environment/file interactions occur without explicit user or platform approval.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal