Paragon MLS

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent MLS lookup purpose, but it is configured to run a hard-coded local Node server whose source code is not included in the reviewed package.

Review before installing. Only enable this skill if you can inspect and trust the referenced `paragon-mls-mcp` server code and adjust the MCP command to a reviewed local path. Treat results as advisory, especially because some regions may use plaintext HTTP and unofficial MLS API responses can change.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly states that some Paragon API responses may be fetched over HTTP rather than HTTPS, yet the user-facing description does not prominently warn users before they send listing identifiers or query data. Unencrypted transport can expose requested properties, MLS numbers, and returned listing data to network interception or tampering, especially on shared or untrusted networks.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal