Back to skill

Security audit

Synth Data

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Synthdata market-data CLI that uses a disclosed API key to query Synthdata and shows no hidden persistence or unrelated data access.

Install only if you are comfortable giving the skill access to a Synthdata API key and sending selected asset tickers to Synthdata. Use a revocable key if possible, avoid pasting secrets into shared terminals or logs, and create any cron, Slack, Telegram, or alert integrations deliberately because those could continue sending reports until disabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill requires environment-variable access for an API key and makes outbound network requests, but it does not declare explicit permissions for those capabilities. This creates a transparency and governance gap: users or hosting platforms may not realize the skill can access secrets and transmit data externally, which weakens consent and review controls.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The documentation tells users to export an API key directly into their shell environment without any guidance on secure handling. While this is common practice, it can lead to accidental exposure through shell history, shared terminals, process inspection, logs, or screenshots if users are not warned to treat the key as sensitive.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.