MCP Colombia

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent, but it should be reviewed because it handles identity/reputation tokens and job-application personal data with incomplete privacy and consent boundaries.

Install only if you trust the external npm package and are comfortable sending identity and job-related data to third-party services. Treat Soulprint tokens, DID/reputation data, Brave API keys, CV or LinkedIn URLs, salary expectations, and cover messages as sensitive, and require explicit user confirmation before any job-application use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs clients to supply an `x-soulprint-token` and states that identity status and reputation are checked against a live external validator node, but it does not warn users that sensitive identity-linked data will be transmitted off-platform. Because this token gates access to sensitive functions such as job applications and exposes DID/reputation data, users may unknowingly disclose personal or correlatable identity information to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal