Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
statcast-mcp>=0.1.0
- Confidence
- 93% confidence
- Finding
- statcast-mcp>=0.1.0
MLB Statcast
Security checks across malware telemetry and agentic risk
Overview
This appears to be a purpose-aligned baseball statistics MCP skill, with only a low supply-chain caution about an unpinned Python dependency.
Safe to install for baseball-statistics use, with normal caution for community packages. Prefer a pinned, reviewed `statcast-mcp` version or a lockfile if you need reproducible or higher-assurance installs.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)
VirusTotal
64/64 vendors flagged this skill as clean.