Search Console Report

Security checks across malware telemetry and agentic risk

Overview

This Search Console reporting skill is mostly aligned with SEO reporting, but its bundled script uses fixed sites and hard-coded local paths that can handle sensitive analytics data in ways users would not clearly control.

Review before installing. Use a dedicated read-only Search Console service account, keep the JSON key out of chat and source control, and edit or inspect gen_report.py so the sites, input file, chart directory, and PDF output path match your current workspace. Delete raw JSON and chart files after use if the analytics data is sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script writes a generated PDF to a hard-coded user-specific absolute path under /Users/admin without runtime confirmation or safe output-path controls. In an agent context, this can cause unintended writes to local filesystem locations, overwrite existing files, leak report contents into a sensitive workspace, or fail unpredictably depending on environment and permissions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal