ALTER Identity

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill connects agents to a hosted ALTER identity MCP service and discloses the consent, data-sharing, optional credential, and paid-query implications.

Install only if you are comfortable connecting your agent to ALTER's hosted MCP service. Before sending resumes, profiles, social links, or other human data, get explicit consent and review ALTER's privacy terms; the raw-text deletion and PII-redaction claims are server-side promises, not protections enforced by this skill. Protect any Pro API key and set spending/tool-use controls for paid queries.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The README makes a reassuring claim that the skill has no code path that submits data, but then documents a workflow involving write-side operations such as creating identity stubs and submitting human context. Even if those tools are not currently live on the public server, this mismatch can mislead operators into underestimating privacy and consent risks and may cause them to connect agents to a hosted service with stronger data-handling implications than the README initially suggests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal