Back to skill

Security audit

WOL

Security checks across malware telemetry and agentic risk

Overview

This Wake-on-LAN skill mostly matches its purpose, but it should be reviewed because it stores and changes device records and its script can expose full MAC addresses despite promising to hide them.

Install only if you are comfortable with a local script that can wake devices on your LAN and store their network identifiers. Review or patch the script before relying on its privacy claim, and use add/delete commands only when you intentionally want to change the saved device list.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell commands, reads configuration, and modifies `references/devices.yaml`, but declares no permissions. That creates a trust and policy gap: a host system or reviewer may treat the skill as low-risk while it can actually execute commands and persistently alter device mappings. In a skill that can wake hosts and manage stored network identifiers, undeclared capabilities increase the chance of unauthorized execution or insufficient sandboxing.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill documents add/delete operations that modify persistent device mappings without emphasizing that these actions change stored configuration. In an agent setting, insufficient warning or confirmation around destructive or state-changing commands can lead to accidental deletion, misconfiguration, or persistence of attacker-supplied device records.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.