Back to skill

Security audit

Competitor Intel Monitor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real competitor website monitor, but it needs review because it overstates its features and allows broad network fetching and persistent local writes with weak safeguards.

Install only if you intentionally want a local script that fetches competitor web pages and keeps snapshots under your home directory. Use public competitor URLs only, avoid path-like competitor names, and do not rely on the advertised social monitoring or external alert channels unless the skill is updated to actually implement them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and instructs use of functionality that requires network access and local file read/write, but it declares no permissions. This creates a transparency and policy-enforcement gap: users or the host system cannot accurately assess or constrain what the skill will access, increasing the chance of over-privileged execution and unexpected data handling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The skill claims automated monitoring, social tracking, configurable alert channels, and feature detection that are not actually implemented. This is dangerous because operators may rely on nonexistent monitoring or alerts for business decisions, creating blind spots and false assurance; mismatches between advertised and real behavior are also a trust and security problem when they hide actual capability limits.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.