Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
China Industrial Machinery Suppliers
Security checks across malware telemetry and agentic risk
Overview
This is a local reference skill for China industrial machinery sourcing and it does not show risky access, persistence, credential use, or external actions.
This appears safe to install from a security perspective. Treat the market data, supplier examples, and 2026 industry claims as reference material rather than verified procurement advice, and independently verify important sourcing decisions before relying on them.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)
Vague Triggers
Medium
- Confidence
- 89% confidence
- Finding
- The skill says users can interact with it using natural language and then provides only example prompts, without defining specific trigger boundaries, exclusions, or when the skill should not activate. For a markdown file, this creates an ambiguous activation scope that could overlap with ordinary sourcing-related conversation rather than a clearly constrained invocation pattern.
VirusTotal
58/58 vendors flagged this skill as clean.