ISBN Book Number Query - ISBN图书书号查询

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed code-review helper, but it defaults to broad full-access review execution and may send code diffs to external reviewer CLIs.

Review the skill before installing in sensitive repositories. Use `--no-yolo` and `--fallback-reviewer none` when you want sandbox prompts and no automatic third-party model fallback, and avoid using it on private code unless those reviewer CLIs and their data handling are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill metadata declares required binaries and environment variables, and the skill clearly relies on outbound API access, but it does not explicitly declare permissions for network and secret/environment access. This weakens least-privilege enforcement and can cause the runtime or reviewers to underestimate the skill's capability to transmit user-supplied queries and use an API key externally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal