Back to skill

Security audit

5S管理技能

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent 5S management helper with a user-run report script and no evidence of hidden collection, persistence, or unsafe automatic behavior.

Before installing, understand that the report generator will read the JSON file path you provide and write an HTML report to the output path you provide. Use trusted inspection data, choose output paths carefully, and avoid opening reports generated from untrusted JSON because text fields are inserted into the HTML report.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs use of a local script to read JSON input and write an HTML report, but the skill metadata does not declare any permissions for file access. This creates an authorization mismatch: an agent may be induced to perform file reads/writes without an explicit permission boundary, increasing the risk of unintended local file access if the runtime relies on declarations for policy enforcement.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.