Security audit

NEXUS Mcp Bridge

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid remote bridge, but it needs review because paid calls and GitHub/IPFS/filesystem-style MCP routing are broadly scoped and lack clear safeguards.

Review before installing. Use it only if you trust NEXUS with the prompts, files, repository context, and payment proof you send. Do not let an agent forward secrets, wallet keys, tokens, private repository data, or local file contents through this bridge without explicit confirmation and a clear understanding of the downstream MCP service involved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The manifest and description present this as an MCP bridge to IPFS, GitHub, and filesystem servers, but the implementation guidance routes all user input to a remote NEXUS-hosted API instead. This is a security-relevant mismatch because users and orchestrators may grant or invoke the skill under false assumptions about where data goes and what backend is actually being used, increasing the risk of unintended external disclosure and unsafe trust decisions.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The skill claims to bridge to a filesystem MCP server while also asserting that no filesystem access is required. That inconsistency can mislead users and policy engines about the capability surface, causing them to approve a skill they believe cannot touch file-like resources when its stated purpose implies such access through an external bridge.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The README states the skill is 'automatically invoked' when a matching task is detected, but it does not define what counts as a match or what safeguards apply before invoking a bridge to external MCP servers. For a skill that can interface with filesystem, GitHub, and IPFS, ambiguous trigger boundaries increase the chance of unintended activation and unauthorized data exposure or actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises bridging to filesystem, GitHub, and IPFS but provides no warning about sensitive data access, repository modification, or exfiltration risks. In this context, omission of security boundaries is dangerous because these integrations can expose local files, source code, tokens, or public/private content through remote MCP services.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The activation guidance is extremely broad: 'Use when you need to bridge to mcp servers - ipfs, github, filesystem.' Without tighter constraints, an agent may invoke this skill for a wide range of requests and send sensitive prompts or repository/file data to the external service unnecessarily. Broad triggers are especially risky here because the skill performs network transmission to a third-party backend.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal