Octen Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Octen web-search skill that uses a disclosed API key and sends user-provided searches to Octen.

Install only if you are comfortable giving the skill an Octen API key and sending search queries to Octen. Avoid searching for secrets, private customer data, or confidential internal material unless sharing that content with Octen is acceptable; use a scoped/revocable API key where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill metadata declares required environment access and clearly describes making outbound web requests, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: operators may approve or run the skill without realizing it can read secrets from the environment and transmit data over the network.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal