Back to skill

Security audit

Cn Temperature Converter

Security checks across malware telemetry and agentic risk

Overview

This is a simple local temperature converter with visible promotional links, but no evidence of hidden execution, data access, persistence, or network behavior in the runnable code.

Install this if you want a small local temperature converter. Be aware that the documentation includes unrelated promotional links, and the marketplace metadata appears to overstate credential needs even though the code does not use credentials or network access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The skill manifest contains promotional external links unrelated to the stated temperature-conversion functionality. While not directly executable code, unrelated outbound links in a skill package can mislead users, create trust confusion, and serve as a vehicle for traffic diversion or future social-engineering abuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.