Cc Clean

Security checks across malware telemetry and agentic risk

Overview

This skill is a content-calendar generator with no evident destructive or hidden behavior, but its API-key and local-processing documentation should be clearer.

Before installing, expect the host may ask for ANTHROPIC_API_KEY even if you only want demo or compliance-only modes. Only provide that key if you intend to use AI-generated custom calendars, and verify that the referenced generate_calendar.py implementation comes from a source you trust before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation states that some free-tier modes require no API key, but the manifest declares ANTHROPIC_API_KEY as an unconditional requirement. This mismatch can mislead users and host agents into supplying credentials unnecessarily, increasing secret exposure and causing the skill to receive API access in scenarios where it should run offline.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal