Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
GitHub Actions Self-Hosted Risk Audit
Security checks across malware telemetry and agentic risk
Overview
The scan shows a low-risk skill with no concrete evidence of hidden, destructive, or deceptive behavior; the main issue is missing explicit permission metadata.
This appears acceptable to install, but review the skill text for what access it expects before running it. Be more cautious if it asks to use credentials, broad filesystem access, or network calls that are not clearly tied to its stated purpose.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)
VirusTotal
58/58 vendors flagged this skill as clean.