README Env Table Sync

Security checks across malware telemetry and agentic risk

Overview

This skill is a local README helper that reads an env template and, only when explicitly requested, updates a marked README table.

Run the default report mode first. Use SYNC_MODE=apply only when you want the README file modified, and set ENV_FILE and README_FILE to the intended repository paths.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly performs file reads and writes against user-controlled paths such as ENV_FILE and README_FILE, but it declares no permissions. That mismatch is a real security and governance issue because callers and reviewers are not informed that the skill can modify repository files, which increases the risk of unintended or abusive file access if invoked in a broader automation context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal