Security audit

Submit Directories

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed directory-submission automator, but its target list is broad and messy enough that it could submit product/contact data to unintended sites without enough per-site control.

Install only if you are comfortable with an agent sending your product details, contact email/name, optional throwaway credentials, and images to many third-party sites. Before running submission, review and prune directories.json, use throwaway credentials and email, avoid real personal passwords, require manual approval per destination or category, and treat OAuth logins and GitHub PR creation as actions that need explicit confirmation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill instructs the agent to read environment variables, read and write local files such as .env, submission_plan.json, and checkpoint.md, and perform broad network actions including website visits, form submissions, OAuth flows, and GitHub PR creation, but it does not declare permissions. This is dangerous because users and orchestrators cannot accurately scope or review the skill's access before execution, increasing the risk of unintended data exposure, credential misuse, or automated actions against third-party services.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This dataset is meant for AI/startup directory submission, but it includes many unrelated targets such as social platforms, Reddit communities, Facebook groups, media outlets, general business directories, and arbitrary websites. In the context of an auto-submission skill, this broad scope can drive unintended posting, account usage, and disclosure of product/company data to destinations the user did not authorize, substantially increasing abuse and privacy risk.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: Multiple records claim to target one site while their URLs point somewhere else, to dead domains, or to malformed placeholders. In an automation pipeline this can misdirect submissions to the wrong third party, leak proprietary or personal information, and cause the agent to interact with attacker-controlled or unintended destinations.

Context-Inappropriate Capability

Low

Confidence: 87% confidence
Finding: The dataset includes many destinations requiring Google, Facebook, Twitter, LinkedIn, GitHub, and other unrelated identities, which exceeds what users would reasonably expect from a directory-submission skill. In this skill context, that expands the credential and OAuth attack surface and increases the chance of unsafe cross-site posting or consent bypass during automation.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal