Back to skill

Security audit

Json Parser

Security checks across malware telemetry and agentic risk

Overview

This appears to be a data parsing helper whose file access is expected for parsing user-selected files, with only a minor disclosure mismatch around CSV and Excel support.

Install only if you are comfortable granting the skill access to files you ask it to parse. Treat CSV/Excel support as part of the skill's behavior even if the name emphasizes JSON, and avoid pointing it at unrelated private directories or secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest describes a skill focused on parsing and validating JSON data and flattening nested JSON into DataFrames. However, the instructions explicitly expand the scope to accept CSV and Excel as inputs and to offer export to Excel/CSV/JSON, which goes beyond the stated JSON-centric behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.