Free Mobile SMS

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: send SMS notifications through Free Mobile using user-provided credentials, with no hidden persistence or unrelated behavior found.

Install this only if you want an agent to send SMS notifications to your own Free Mobile number. Treat the Free Mobile API key like a password, avoid logging or committing it, and consider requiring confirmation before sending unexpected or important messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill clearly depends on sensitive environment variables and external network access to send SMS, but it does not declare permissions for those capabilities. This creates a transparency and policy-enforcement gap: a user or host platform may not realize the skill can read secrets and contact a remote SMS API, which is especially sensitive because it can trigger real-world actions and incur costs or abuse messaging channels.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal