MuleRouter

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed MuleRouter/MuleRun API wrapper for user-directed image and video generation, with expected credential, network, and media-handling behavior.

Install only if you intend to send prompts, media URLs, and selected local image files to MuleRouter/MuleRun for processing. Keep `MULEROUTER_BASE_URL` pointed at a trusted endpoint, protect any `.env` file containing the API key, and avoid passing API keys directly on the command line in shared environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill declares only Bash and Read tools, but its documented workflow and compatibility clearly require access to environment variables, local file reads, local file writes, and outbound network connections. This permission mismatch is dangerous because reviewers or policy systems may underestimate what the skill can actually do, while the skill handles an API key and sends data to user-configurable endpoints in Authorization headers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal