NBA game schedule today, scores and standings rank.

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward NBA scores and standings skill that fetches public sports data when used.

Before installing, understand that the skill makes live outbound requests to NBA and StatMuse when used. It does not need credentials or install dependencies, but results depend on external site availability and the StatMuse parser may break if their page layout changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to fetch data from external URLs (NBA CDN, StatMuse, NBA.com), which is network-capable behavior, yet no permissions are declared. That mismatch is a real security and governance issue because it bypasses least-privilege expectations, reduces auditability, and may allow unreviewed outbound requests to third-party services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal