Back to skill

Security audit

Exchange Rates

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does the advertised exchange-rate lookup, but it includes a hardcoded local browser-control token and ambiguous fallback sourcing that users should review before installing.

Review this before installing. It contacts XE.com and may contact open.er-api.com, and it attempts to connect to a local Browserless/CDP service using a token embedded in the skill. Prefer a version that removes the hardcoded token, uses your own configured endpoint, isolates the browser service from real browsing sessions, and clearly reports when fallback rates are used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest promises rates are fetched from XE.com, but the skill documentation discloses a silent fallback to exchangerate-api.com. This creates a trust and provenance mismatch: downstream users or policies may rely on XE as the sole data source, while the skill can return data from a different provider with different terms, quality, or security characteristics without explicit disclosure.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill metadata promises XE.com as the source, but the implementation silently falls back to a different provider and labels it only in the JSON output. This creates a trust and integrity issue: callers may rely on XE-specific sourcing or methodology while actually receiving data from another service under failure conditions, which can mislead downstream financial workflows.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hardcoded CDP token embedded in source code exposes credentials to anyone with code access and enables unauthorized connection attempts to the browserless/CDP service. If that service is reachable, an attacker could abuse the remote browser session for data access, network pivoting, or consumption of paid/shared infrastructure unrelated to the stated exchange-rate purpose.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code establishes a network connection using a hardcoded browser CDP token without any disclosure to the user or operator, creating a hidden external dependency and undisclosed credential use. This increases the risk of secret leakage, unauthorized third-party service usage, and unexpected data flow through a remote browser service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.