Back to skill

Security audit

Url Shortener

Security checks across malware telemetry and agentic risk

Overview

This skill is a small local URL alias and QR-code helper that stores data on disk but shows no hidden network, credential, or destructive behavior.

Use this as a local helper, not a hosted short-link service. Avoid storing URLs that contain tokens, private query parameters, or sensitive internal addresses because they are saved in ~/.url_shortener.json, and choose QR output paths carefully to avoid overwriting files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises capabilities that imply writing files (for example, saving QR codes and likely local URL storage/export) but does not declare any permissions. This creates a transparency and policy-enforcement gap: an agent or reviewer may assume the skill is read-only when it can persist data to disk, increasing the risk of unauthorized file creation, overwriting files, or storing sensitive URLs locally without explicit approval.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.