Paprika

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Paprika Recipe Manager helper, but it can access private recipe, meal plan, and grocery data after authentication.

Install only if you are comfortable letting the agent use the Paprika CLI to display recipes, meal plans, and grocery lists from your account. Prefer interactive authentication when possible, avoid putting your Paprika password in shared shells or logs, and verify the global npm package before installing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The skill enables access to personal Paprika account data such as recipes, meal plans, and grocery lists, but the description does not clearly warn users that invoking the skill may expose private household information. This is a real privacy transparency issue because users may not realize the scope of account data the tool can retrieve, increasing the risk of unintended disclosure in shared or sensitive contexts.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal