Back to skill

Security audit

Ultimate Flashcards and Podcast Tutor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent EchoDecks API helper for managing study content, with expected use of an API key and no hidden local persistence or unrelated data access found.

Install this only if you trust EchoDecks with the deck text, imported study material, and podcast-generation inputs you ask it to process. Keep ECHODECKS_API_KEY in the environment rather than prompts or deck content, and review credit-consuming generation or account-changing actions before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares use of an environment variable and clearly wraps a client that likely performs outbound API calls, but it does not declare corresponding permissions in the skill surface. That creates a transparency and policy gap: users and reviewers may not realize the skill can access secrets and send data off-box, which increases the chance of unintended credential exposure or unreviewed network use.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill states that an API key is required but gives no guidance on credential handling, storage, or the fact that use involves communicating with an external service. This is primarily a security transparency weakness: users may paste or manage credentials unsafely or fail to understand that their data and authentication are leaving the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The AI card-generation and podcast features accept user-supplied topic/text and describe credit costs, but they do not clearly warn that this content may be transmitted to external AI or media-generation services and may incur billable usage. This can lead to accidental disclosure of sensitive study content and unexpected account charges, especially because the features encourage bulk content submission.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.