CVE Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a simple CVE lookup skill that sends user-entered package or CVE queries to an external API, with no local execution, persistence, credential use, or hidden behavior found.

Reasonable to install for CVE lookups. Avoid submitting confidential internal package names, proprietary component identifiers, full private dependency inventories, or sensitive version details unless you trust the external API provider and its data handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The skill documentation describes sending user-provided queries to a remote CVE scanning API but does not clearly warn users that their inputs will be transmitted to an external third-party service. This is a genuine transparency and privacy issue because package names, internal component identifiers, or unreleased software versions entered by users may reveal sensitive information about an organization's technology stack.

External Transmission

Medium

Category: Data Exfiltration
Content: ## References - **Kong Route:** `https://api.mkkpro.com/security/cve-scanner` - **API Docs:** `https://api.mkkpro.com:8010/docs`
Confidence: 94% confidence
Finding: https://api.mkkpro.com/

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal