Back to skill

Security audit

Smart Downloader

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward user-directed downloader that fetches listed URLs and saves them to a chosen folder, with no hidden persistence or credential behavior found.

Before installing, understand that this skill can download arbitrary URLs you provide and save files to a folder you choose. Use trusted URL lists, avoid passing sensitive headers unless needed, keep concurrency reasonable, and review downloaded files before opening them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and relies on network access and local file reading (URL list from a file), but it does not declare permissions for those capabilities. Missing permission declarations reduce transparency and prevent proper policy enforcement or user review, which is risky for a downloader that can fetch arbitrary remote content and write files based on user-provided input.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.