Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Pure Search
Security checks across malware telemetry and agentic risk
Overview
This is a straightforward web-search helper that sends queries to DuckDuckGo and fetches result pages, with no evidence of hidden persistence, credential use, or destructive behavior.
Install it in a virtual environment, consider pinning dependency versions, and avoid sensitive/private searches unless you are comfortable sending them to DuckDuckGo and the fetched websites. Treat extracted page text as untrusted content for the agent to summarize or cite, not as instructions to follow.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Missing User Warnings
Medium
- Confidence
- 93% confidence
- Finding
- This markdown file describes using DuckDuckGo for link retrieval and trafilatura for extracting web page content, which means user-provided queries and requested URLs are transmitted over the network. The description explains functionality but does not explicitly warn users about this external data transmission or its privacy implications.
VirusTotal
64/64 vendors flagged this skill as clean.