Content Moderation

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Vettly content moderation skill, with normal integration risks from using an external MCP package, API key, and provider-handled moderation data.

Before installing, confirm you trust the @vettly/mcp npm package and Vettly as a provider, consider pinning a known-good package version, and use the least-privileged Vettly API key available. Do not submit secrets, regulated personal data, or private signed media URLs unless your organization has approved Vettly for that data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill sends user-provided text and image/video URLs to Vettly's external moderation service, but the description does not warn users that potentially sensitive content leaves their environment. This can lead to inadvertent disclosure of personal, confidential, or regulated data, especially when moderating private messages, internal documents, or media URLs containing identifiers or access tokens.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal