Back to skill

Security audit

aws-price-csv

Security checks across malware telemetry and agentic risk

Overview

This is a coherent AWS pricing CSV helper with expected local file, AWS CLI, and AWS pricing network behavior, but users should choose output and cache paths carefully.

Install if you are comfortable running a local Python pricing helper. Use a least-privilege AWS profile limited to pricing:GetProducts, verify which AWS profile is active before API mode, prefer a dedicated cache directory, and choose an output filename that will not overwrite important files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation instructs use of a Python script that reads input files, writes CSV output, invokes the AWS CLI, and may download/cache pricing JSON over the network, but the skill declares no permissions. This creates a capability transparency gap: users or orchestrators may run a skill with filesystem, shell, and network effects they were not informed about, increasing the risk of unintended data access, command execution pathways, or external connectivity.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The script writes directly to a user-specified output path using Path(args.output).open('w'), which will silently overwrite any existing file writable by the current user. In an agent or automation context, a crafted or mistaken output path could destroy important local data or overwrite files in unexpected locations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.