mcp-charter-planner

Security checks across malware telemetry and agentic risk

Overview

The skill matches its charter-planning purpose and shows no local data access or persistence, but it gives real-world sailing safety guidance with weak operational disclaimers and has inconsistent npm package names in its documentation.

Install only after verifying the intended npm package name. Treat outputs as trip-planning ideas, not navigation or safety instructions; validate routes, weather, reef passages, customs, mooring details, and hurricane-season decisions with current official sources, the charter company, and a qualified skipper.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill provides safety-relevant maritime guidance and explicitly recommends a night sail for intermediate users without pairing it with a clear warning about reduced visibility, collision risk, reef/obstruction hazards, watchkeeping, and the need for local knowledge and appropriate conditions. In a charter-planning context, users may treat the suggestion as actionable expert advice, which increases the chance of unsafe decision-making on the water.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal