DHL Tracking

Security checks across malware telemetry and agentic risk

Overview

This is a narrow DHL parcel-tracking helper that sends a user-provided tracking number to dhl.de and shows no hidden data access or destructive behavior.

Install only if you are comfortable sending DHL tracking numbers to dhl.de through an unofficial endpoint. Avoid aggressive polling, and set up cron monitoring only if you intentionally want repeated background checks.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the agent to make external network requests and execute shell/Python commands, but it does not declare corresponding permissions. Undeclared capabilities are dangerous because they bypass transparent consent and review boundaries, making it easier for a seemingly simple tracking skill to perform actions the platform or user did not explicitly authorize.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal