Late Brake

Security checks across malware telemetry and agentic risk

Overview

This is a real local racing-lap analysis CLI, but it should be reviewed because it ships precise private-track geodata and creates persistent local GPS-derived cache files.

Install only if you are comfortable with a local CLI that writes hidden cache files containing parsed lap/GPS data beside analyzed files. Publishers should disclose the cache behavior more clearly and remove or anonymize the built-in private track data before broad distribution.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The declared description presents the skill as a pure lap analysis tool, but the documented behavior extends to persistent local caching and reading or modifying track definitions from package data and user directories. This mismatch is dangerous because users and orchestrators may grant trust based on an incomplete description, leading to unexpected filesystem interactions and persistence that can affect privacy, integrity, and review accuracy.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal