Security audit

Maverick Trello Mcp

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Trello integration that uses Trello credentials to read and change Trello cards, with no evidence of hidden data access or persistence.

Install only with a Trello token scoped to the boards and actions you intend to allow. Treat card creation, updates, moves, and comments as real changes to shared Trello boards, and consider pinning mcporter if your environment requires strict supply-chain controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill explicitly requires environment variables containing a Trello access token and API key and invokes a local subprocess that makes outbound Trello API requests, but the skill file does not declare any formal permissions boundary for env or network access. This creates a transparency and governance gap: operators may enable the skill without realizing it can read credentials and transmit board data externally via the MCP wrapper.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal