个人SKILL

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Go development skill, with some logging examples that users should sanitize before applying.

Install only if you want Go logging and MCP flow guidance for this project. Before applying its examples, replace raw parameter and full body logging with redacted, allowlisted, and truncated logging, and verify that any mcp-config.json endpoint is trusted.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The skill explicitly warns against logging sensitive information, yet its examples log full response bodies and request parameters. In real Go services, params and bodies often contain tokens, personal data, internal identifiers, or secrets, so developers following this guidance may introduce sensitive-data exposure into centralized logs.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: This finding is a real issue because the MCP example normalizes `xlogging.D().Debug(fmt.Sprintf("calling mcp tool: %s, params: %+v", toolName, params))`, which encourages raw parameter dumping. Since MCP/tool invocations frequently carry credentials, prompts, user content, or business data, the contradiction makes the skill more dangerous by presenting insecure logging as the canonical pattern.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal