rust-rebuilder

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Rust migration helper that runs local dependency and Git sync checks, with third-party helper recommendations users should review before installing.

Before installing, review the linked helper skill/MCP repositories independently, approve the bundled Python scripts before running them, and use the Git sync report only on repositories where fetch/prune of origin and upstream is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill instructs the agent to execute local shell commands and read local files/scripts, but there is no declared permission model or limitation around those capabilities. In an agent environment, undeclared shell and file access increases the chance of unintended local inspection or command execution, especially because the skill treats those actions as mandatory preflight steps.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The skill description presents itself as a Rust migration assistant, but the actual behavior includes mandatory dependency checks for unrelated local skills/MCPs and directs users to install specific third-party repositories. This mismatch can mislead users into granting local access or installing external components they did not intend to trust, creating a supply-chain and transparency risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal