Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
ontology (bidirectional default)
Security checks across malware telemetry and agentic risk
Overview
This skill is a local, persistent knowledge-graph helper whose file writes and schema changes match its stated memory-management purpose.
Install only if you want a workspace-local persistent memory graph. Avoid putting actual secrets in it, review entries before storing sensitive personal or business information, and remember that deletes remove entities from active retrieval but do not necessarily erase their historical JSONL records.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)
Description-Behavior Mismatch
Medium
- Confidence
- 95% confidence
- Finding
- The manifest describes the skill as a typed knowledge graph for creating/querying entities, linking objects, enforcing constraints, and sharing state. This file also exposes a `schema-append` command that writes and merges schema definitions, which changes the ontology's governing rules rather than operating on graph memory itself. That is a broader behavior than the manifest advertises.
Vague Triggers
Medium
- Confidence
- 94% confidence
- Finding
- The description says to trigger on phrases like "remember" and "what do I know about," which overlap with common everyday conversational language and are not tightly constrained to a specific command context. Although some examples are domain-related, the activation guidance is broad enough that normal dialogue could accidentally match the skill.
Missing User Warnings
Medium
- Confidence
- 93% confidence
- Finding
- The delete_entity function appends a delete operation to persistent storage, which is a destructive state change. While the CLI prints a message after deletion, there is no pre-action confirmation, cautionary comment, or user-facing warning in this file that the command permanently removes an entity from active graph state.
VirusTotal
65/65 vendors flagged this skill as clean.