Security audit

Immortal

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed crypto-risk lookup tool that contacts an external API and does not show hidden local access, persistence, credential use, or destructive behavior.

Install only if you are comfortable sending requested coin IDs and time-window parameters to the Majestify crypto-health API or another endpoint you explicitly choose. Avoid custom API URLs you do not trust, and do not treat the financial classifications as automatic investment instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill explicitly advertises live calls to the Majestify API and internet access, yet the metadata declares no permissions. This creates a transparency and policy-enforcement gap: an agent platform or user may assume the skill is local-only, while it can exfiltrate queried asset selections and other runtime inputs over the network.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill description and usage text do not provide a prominent warning that user-supplied asset/query data is transmitted to an external service. While the document mentions internet access and an API, the absence of an explicit warning reduces informed consent and may cause operators to send sensitive portfolio or strategy-related inputs off-box unintentionally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.