Free Keyword Miner

Security checks across malware telemetry and agentic risk

Overview

This is a user-run keyword research tool that sends queries to public search/Reddit sources and saves a JSON report, with a notable caveat that its Reddit source list is adult/relationship-focused.

Install it in a virtual environment, avoid confidential seed keywords because they are sent to external services, and use or edit the Reddit source carefully because it searches adult/relationship-focused subreddits regardless of topic.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documents network access and local file output, but the manifest does not declare permissions for those capabilities. Undeclared capabilities reduce transparency and can bypass user or platform expectations about what the skill will access or modify, especially when it writes result files and fetches remote content from multiple sources.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The Reddit mining logic is hard-coded to sexually explicit and relationship-focused subreddits regardless of the user’s query, which can cause the tool to retrieve inappropriate NSFW content unrelated to the requested topic. In an agent/automation context, this creates a real safety and data-handling risk because benign prompts can unexpectedly trigger adult-content collection and downstream storage or display.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal