Security audit

Virtuoso Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Virtuoso SKILL API lookup and linting helper with user-invoked file scanning and an optional web UI to use carefully.

Install this if you need local Virtuoso SKILL API lookup and linting. Run directory checks only on intended project folders, and start the web UI only on localhost or a trusted network because it has no authentication and listens on all interfaces.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill documentation advertises capabilities that imply local file access, file writing, and a network-exposed web interface, but no permissions are declared. This creates a trust and enforcement gap: users and hosting platforms cannot accurately assess or constrain what the skill may access, increasing the risk of unintended data exposure, filesystem modification, or network service exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.