Gen Paylink Govilo

Security checks across malware telemetry and agentic risk

Overview

This skill transparently uploads user-selected files to Govilo to create paid unlock links, using the expected Govilo API key and seller wallet address.

Install only if you trust Govilo and are comfortable uploading the selected files to Govilo/R2 and creating paid links with your account. Use a dedicated .env.govilo file, verify the seller wallet address and price before running, and prefer a trusted package manager or verified installer for uv instead of pipe-to-shell commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill explicitly requires environment variables and performs outbound API/upload operations, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an orchestrator or reviewer may treat the skill as lower risk than it really is, while the skill can access secrets and send data to an external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal