Security audit

MeshMonitor API

Security checks across malware telemetry and agentic risk

Overview

This MeshMonitor skill is mostly a disclosed API helper, but it includes ungated commands that can send live mesh messages or make arbitrary authenticated API requests.

Install only if you intend to give an agent authenticated access to a MeshMonitor instance. Prefer a read-only or low-privilege token for reporting, and require human approval before any send-message command or raw non-GET request because those actions can affect the live mesh or reach broader API endpoints.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly instructs the agent to make authenticated HTTP requests to a user-supplied MeshMonitor instance, but no explicit permissions declaration is present. That creates a governance and least-privilege problem: operators may not realize the skill can perform live network actions against external systems, increasing the risk of unintended outbound access and misuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The stated purpose emphasizes inspection and reporting, but the documented behavior includes state-changing message sends, API-surface enumeration, and arbitrary raw requests with selectable methods to any /api/v1 path. That gap is dangerous because users or reviewers may treat the skill as read-only when it can probe and modify a live system, enabling unauthorized changes, broader API abuse, or use beyond the intended scope.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The notes explicitly document a write-capable endpoint, `POST /messages`, even though the skill is described as primarily inspect/query oriented. In an agent context, documenting a write path materially increases the chance the skill will be used to send mesh messages on live radio infrastructure without clear user intent or adequate safeguards.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill metadata describes inspection, dashboards, history queries, and reporting, but this code includes a state-changing send-message operation. That expands the capability from read-only analysis to active network interaction, which can cause unauthorized transmissions or user surprise if the agent invokes it inappropriately.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The raw API caller lets users hit arbitrary MeshMonitor API paths instead of the narrowly described inspection/reporting actions. This bypasses the intended command surface and can expose undocumented or administrative endpoints, especially when combined with an authenticated bearer token.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The raw command accepts an arbitrary HTTP method, not just GET, which enables state-changing operations like POST, PUT, PATCH, or DELETE against any API path reachable with the supplied token. In a skill presented as an inspection/reporting integration, this is an overbroad and dangerous privilege escalation surface.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation advertises a send-message command but does not prominently warn that it changes external system state by transmitting onto the mesh. In this context, sending messages can affect real devices and users, create spam or misinformation on the network, and cause operators to invoke a write action believing the skill is primarily observational.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The message-sending documentation describes how to perform authenticated writes but does not warn that sending messages can affect a live mesh, trigger radio relays, or create unintended communications. In a reusable agent skill, omission of such warnings makes accidental operational impact more likely, especially when bearer tokens already authorize the action.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The send-message operation performs an externally visible action without any built-in confirmation, dry-run, or warning mechanism. In an agent setting, that increases the risk of unintended transmissions, spoofed operator intent, or accidental disclosure over the mesh network.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal