Security audit

Latitude MCP

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed Latitude workspace integration, but users should treat it as powerful because it can access sensitive workspace resources.

Install only if you want your agent to work with your Latitude workspace. Use a least-privilege Latitude API key when possible, review the tools exposed by the MCP server, and consider tool filters or explicit approvals for member management, API key access, and other high-impact changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly states the agent can 'read and manage' sensitive Latitude workspace resources, including members and API keys, but does not prominently warn users that enabling this MCP server grants write-capable access to potentially high-impact resources. This can lead to users authorizing broader access than they realize, increasing the risk of unintended modifications or disclosure through normal agent use or prompt-induced misuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.