FRED-Navigator

Security checks across malware telemetry and agentic risk

Overview

This FRED lookup skill is mostly coherent, but its helper script disables HTTPS certificate verification while using a FRED API key.

Review before installing. The skill needs a FRED API key and makes network calls to FRED; remove the SSL context override before use, install dependencies in an isolated environment, and pin dependency versions if you need reproducible or higher-assurance operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 69% confidence
Finding: The description omits behaviors beyond simple navigation, including local file generation and, per the analyzer, modification of global SSL context behavior. Undisclosed SSL-context changes are especially concerning because they can weaken TLS verification for all subsequent network calls in the process, enabling man-in-the-middle risk and making the skill's real behavior harder to audit.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Dependencies for FRED Scout Skill fredapi pandas
Confidence: 96% confidence
Finding: fredapi

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Dependencies for FRED Scout Skill fredapi pandas
Confidence: 98% confidence
Finding: pandas

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal