Fortune China500 Skill

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public Fortune China 500 ranking data and creates a local Excel spreadsheet, matching its stated purpose.

Before installing, expect the skill to contact a public Fortune China data website and write an .xlsx file locally, defaulting to /tmp unless a path is supplied. Review or choose the output path if overwrite/location matters, and install any Python dependencies from trusted package sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill explicitly states it will automatically fetch data from an official source, which implies network access, but no corresponding permissions are declared. This creates a mismatch between documented behavior and the permission model, increasing the risk of undeclared outbound requests, weak reviewability, and broader-than-expected data access during execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal