office-quotes

Security checks across malware telemetry and agentic risk

Overview

The skill is a quote generator, but its API/image-rendering helpers use broader network and temporary-file behavior than a user may expect.

Install only if you trust the npm package publisher and are comfortable with API mode contacting a third-party service and creating temporary render files. Prefer offline/local mode for routine use, do not pass untrusted URLs into the helper scripts, and review or harden the URL-fetching and SVG-rendering paths before using this in automated workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill advertises no explicit permissions, yet its documented behavior includes network access via API mode and likely file-read capability through packaged CLI/runtime behavior. This creates a transparency and trust problem: users or orchestrators may invoke the skill assuming it is self-contained and low risk when it can reach external services and access local resources. In a quote-generation skill, undeclared network capability is more suspicious because the core function could reasonably be offline-only.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 82% confidence
Finding: The skill description materially overstates functionality and misrepresents behavior, including the number of offline quotes, metadata richness, and output format support. While this is not direct code execution risk, deceptive or inaccurate claims can cause users and automated agents to make unsafe trust decisions, especially when combined with undeclared network use. The mismatch makes the skill context more concerning because a simple entertainment tool should not need ambiguous or inflated capabilities.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script accepts an arbitrary URL and fetches it with urllib.request.urlopen() without any allowlisting, scheme restriction, host validation, timeout, or size limits. If exposed to untrusted input, this can enable SSRF-style access to internal/local network resources and can also be abused to download unexpected content and write attacker-influenced output files locally.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: In API mode, the skill makes outbound requests to a third-party service and writes untrusted returned SVG content to a predictable file in /tmp, but the interface does not clearly warn users that network access and local file creation will occur. This matters because the fetched content is then rendered through a browser engine, increasing exposure to malicious or unexpected remote content and causing privacy or environment side effects that are not obvious from normal usage.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal