Parcel Package Tracking

Security checks across malware telemetry and agentic risk

Overview

This skill transparently connects to Parcel to list and add package deliveries, with expected API-key and shipment-data sharing for that purpose.

Install only if you are comfortable providing a Parcel API key to this skill. Treat the add command as an account-changing action: confirm the tracking number, carrier, description, and whether --notify is set before running it, and rotate or remove the API key when you no longer use the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill requires access to the PARCEL_API_KEY environment variable but does not declare permissions, creating a transparency and governance gap. Undeclared environment access makes it harder for reviewers and users to understand what secrets the skill needs and increases the chance of overbroad or unintended secret exposure.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill omits a clear warning that using the add action sends tracking numbers, carrier identifiers, and package descriptions to an external Parcel service and may trigger push notifications. This can lead users to disclose shipment metadata without informed consent, creating privacy and operational surprises even if the API use is expected.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal