Fs Street

Security checks across malware telemetry and agentic risk

Overview

This skill appears to fetch public Farnam Street RSS articles as advertised, with ordinary network and Python dependency considerations.

Install only if you are comfortable with a local Python script making requests to Farnam Street and installing feedparser and requests. Use an isolated environment or pinned dependencies if supply-chain assurance matters.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation instructs the agent to run a script that fetches external RSS content, which is a network-capable operation, but no corresponding permission is declared. This creates a governance and sandboxing gap: an environment relying on declared permissions could allow undocumented outbound access, reducing transparency and making policy enforcement harder.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal