Security audit

Thegraph Mcp Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent The Graph MCP helper that uses an expected API key and scoped UXC setup, with no evidence of hidden or destructive behavior.

Install this only if you intend to use The Graph through UXC. Use a dedicated or revocable The Graph API key, keep it in an environment variable or secure credential store, avoid pasting it into prompts or logs, and verify that the thegraph-mcp-cli command name does not conflict with an existing local command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 73% confidence
Finding: The skill instructs users to configure and use a bearer API key, but it does not explicitly warn about sensitive secret handling, least-privilege storage, or avoiding exposure in logs, transcripts, screenshots, and shell history. In a skill that centers on authenticated remote access, omission of basic secret-handling guidance increases the chance of accidental credential disclosure by users or downstream agents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal