Equity Scorer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local bioinformatics reporting skill, but its CSV-only mode can present estimated genetic metrics as if they were computed from genotype data.

Install only if you understand the CSV-mode limitation: use VCF input for genotype-derived heterozygosity, FST, and PCA, and do not treat CSV-only HEIM scores as fully computed genetic evidence. Run it only on data you are authorized to analyze, keep outputs in a private local directory, and review reports before sharing.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill explicitly describes creating an output directory, reports, figures, tables, and reproducibility artifacts, which implies file-writing capability without any declared permission boundary. This is dangerous because an agent framework may permit broader filesystem writes than users expect, increasing the risk of overwriting files or writing sensitive derived genomic outputs to unintended locations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented behavior indicates that for ancestry CSV inputs, key scientific outputs may be hardcoded or assumed rather than computed from underlying genotype data, while still being presented as rigorous metrics. This is dangerous because users could make research, clinical-adjacent, or policy decisions based on misleading equity scores, fabricated FST coverage, or missing PCA analyses that appear trustworthy in the generated report.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill processes highly sensitive genotype and ancestry data and automatically writes rich outputs including population assignments, sample counts, PCA plots, checksums, and detailed markdown reports to disk without any explicit privacy warning, consent gate, minimization control, or de-identification option. In this genomics context, even aggregate outputs can reveal sensitive demographic structure and facilitate unintended disclosure if the output directory is shared, synced, or retained insecurely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal