Security audit

Paragon MLS Raw Listings

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent MLS debugging purpose, but it depends on and builds unreviewed local MCP code outside the reviewed package.

Install only if you control and trust the local paragon-mls-mcp project at the configured path and have reviewed its dependencies and build scripts. Use the raw listing tool only for authorized MLS records, and redact raw payloads before logging, sharing, or sending them to downstream tools.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly retrieves raw MLS JSON payloads and presents them as suitable for debugging or downstream analysis without warning that raw records may include personal, proprietary, or region-specific sensitive fields. Because raw outputs bypass normalization and filtering, users may unintentionally expose or persist sensitive listing data in logs, prompts, downstream tools, or shared analyses.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal