Isdayoff Checker

Security checks across malware telemetry and agentic risk

Overview

This is a small date-checking skill with a documented network call, but its optional custom endpoint should be used carefully.

Reasonable to install if you want a simple workday/day-off checker. It sends the requested date to isdayoff.ru by default; only use --endpoint with URLs you trust, and do not point it at internal services or sensitive local endpoints.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script exposes a user-controlled --endpoint parameter and passes it directly to urllib.request.urlopen, allowing requests to arbitrary URLs instead of only isdayoff.ru as the skill description suggests. In an agent environment, this can turn a simple date-checking skill into a generic outbound network primitive, enabling SSRF-like access to internal services, metadata endpoints, or unauthorized third-party hosts.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: Although the default endpoint is isdayoff.ru, the code design allows callers to replace it with any URL, which contradicts the declared skill purpose and weakens trust boundaries. This mismatch is security-relevant because policy reviewers may approve the skill as a single-purpose API client while it can actually be used for arbitrary outbound HTTP requests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal