Back to skill

Security audit

Evalpal

Security checks across malware telemetry and agentic risk

Overview

Evalpal is a straightforward EvalPal integration that uses a declared API key to list, run, and check evaluations.

Install this only if you want your agent to access EvalPal with your API key. Use a scoped or dedicated key if available, keep EVALPAL_API_URL on the trusted EvalPal endpoint, and remember that list/status/run output may expose project names, eval names, run IDs, and test results in chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

External Transmission

Medium
Category
Data Exfiltration
Content
fi

# Check for required tools
for tool in curl jq; do
  if ! command -v "$tool" >/dev/null 2>&1; then
    echo "Error: '$tool' is required but not installed"
    exit 1
Confidence
70% confidence
Finding
curl jq; do if ! command -v "$tool" >/dev/null 2>&1; then echo "Error: '$tool' is required but not installed" exit 1 fi done # ------------------------------------------------------------

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.