Internet Radio Music DB

Security checks across malware telemetry and agentic risk

Overview

This appears to be a radio-stream database tool that fetches public station listings and updates a local JSON database, with disclosure gaps but no evidence of malicious behavior.

Install only if you are comfortable with a skill that makes many public network requests, stores a local radio-stream database, and may remove entries it marks repeatedly unavailable. The publisher should add explicit permission metadata for network and file access and document or remove the hard-coded-path helper scripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation describes clear network access and local file read/write behavior (`state.json`, export, scraping remote sites), but the manifest declares only a binary dependency and no explicit permissions. This creates a transparency and policy-enforcement gap: users or the platform may grant trust to the skill without understanding that it performs large-scale network operations and persists data locally. In context, these capabilities are expected for a radio database builder, which lowers suspicion of malicious intent, but the undeclared capabilities still matter because the skill fetches data from external sources and modifies local state automatically on a schedule.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal