Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Tasks.md Sprint Sync
Security checks across malware telemetry and agentic risk
Overview
This skill is a small local task-file sync helper that does what it claims, with a documented apply mode that can edit TASKS.md.
Install is reasonable for projects that keep sprint state in PLAN.md and TASKS.md. Run report mode first, confirm PROJECT_NAME and file paths, and use version control or a backup before SYNC_MODE=apply because it replaces the target section's in-progress checklist.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Missing User Warnings
Low
- Confidence
- 85% confidence
- Finding
- This markdown file documents an `apply` mode that updates `TASKS.md` by replacing the current phase and in-progress task list. Although the behavior is described, it does not include a clear caution or warning to users that running in apply mode will modify project files and overwrite existing task content.
VirusTotal
64/64 vendors flagged this skill as clean.