ncm-cli setup

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward ncm-cli setup guide with a disclosed mpv installer, but users should review package-manager commands and handle API keys carefully.

Install this only if you intend to add ncm-cli and possibly mpv to your machine. Review npm, package-manager, and sudo prompts before approving them. Treat appId, privateKey, and login state as sensitive; avoid entering keys in shared, logged, or recorded terminals.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly instructs execution of shell commands such as npm installs, Python scripts, and CLI configuration, yet no permissions are declared. This creates a mismatch between advertised capability and actual behavior, which can lead to unreviewed command execution and weakens platform safety controls.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The activation text is broad enough to match generic installation, configuration, or troubleshooting requests, not just narrowly scoped ncm-cli setup tasks. Over-broad triggering can cause the wrong skill to activate and propose shell commands or setup steps in contexts the user did not intend, increasing the chance of unsafe or irrelevant actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal