Back to skill

Security audit

Domain Name Checker

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: check domain availability and optionally use OpenRouter to brainstorm names, with privacy caveats users should understand.

Use basic domain checks freely if DNS lookups for the searched names are acceptable. Only use brainstorm mode if you are comfortable sending the project description to OpenRouter with your OPENROUTER_API_KEY; avoid confidential launch names, internal plans, or sensitive business ideas unless that sharing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation instructs the agent to execute a local Python script and acknowledges use of environment variables and external network access, yet it declares no permissions. This creates a transparency and policy-enforcement gap: users or hosting platforms may approve the skill without realizing it can invoke shell commands, read env-derived secrets, and make outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill claims 'No API key required,' but the brainstorming feature requires OPENROUTER_API_KEY and sends user-provided descriptions to an external LLM service. This mismatch can mislead users about both operational requirements and data flow, causing unintended disclosure of potentially sensitive project ideas or prompts to a third party.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata claims 'No API key required,' but the brainstorm feature requires `OPENROUTER_API_KEY` and transmits data to an external LLM service. This is a security-relevant transparency issue because users may invoke the skill without understanding that a credential and third-party network disclosure are involved.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User-supplied descriptions are sent to an external LLM API without an explicit privacy warning or confirmation at the point of use. If users enter sensitive project names, internal product ideas, or confidential descriptions, the skill can disclose that data to a third party unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.