english-dict

Security checks across malware telemetry and agentic risk

Overview

This is a simple local dictionary helper with a small built-in word list and no hidden data access or persistence.

Safe to install for basic vocabulary lookup, but treat results as a small demo dictionary rather than an authoritative source. If you add an external dictionary API later, keep any API keys out of shared files.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: For unknown words, the skill fabricates placeholder meanings and example sentences while presenting itself as a dictionary lookup tool. This can mislead users into trusting incorrect language-learning content, and the risk is heightened because the output is formatted as authoritative dictionary data rather than clearly failing or requiring a real lookup.

Intent-Code Divergence

Low

Confidence: 89% confidence
Finding: The code comments imply that an external dictionary API should be used, but the implementation silently substitutes mock data. This creates a trust gap between documented behavior and actual behavior, which can cause downstream systems or users to rely on inaccurate content as if it were real dictionary output.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal