Pentest with Burp Mcp

Security checks across malware telemetry and agentic risk

Overview

This is a coherent penetration-testing skill, but it gives powerful testing instructions with limited safeguards for credentials, certificate bypass, and sensitive report contents.

Install only for authorized security testing. Define the target scope first, use test accounts, avoid real credentials when certificate validation is disabled, and redact tokens, personal data, internal URLs, raw responses, keys, and exploit details from generated reports and tool histories.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to create and continuously append to a local file named `pentest_report.md` without any user-facing disclosure or consent step. While this is not inherently malicious, it causes an undocumented side effect on the local workspace and may persist sensitive assessment data, targets, or captured findings in a place the user did not expect.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal