Baseball

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward MLB lookup tool that runs local Python scripts and fetches public baseball data from MLB endpoints.

Before installing, understand that the skill runs Python scripts and contacts the public MLB Stats API to retrieve schedules, scores, and player stats. It does not appear to use credentials or read private local data, but its metadata could be clearer about network access.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly performs outbound network access to the MLB Stats API, but its metadata only declares a requirement for the python3 binary and does not declare network capability/permission. This creates a permission transparency gap: reviewers and policy enforcers may treat the skill as local-only even though it can send requests to external services, which weakens security controls and auditability.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal