Back to skill

Security audit

Fing Local API

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed read-only helper for querying a Fing local network API, but it can reveal sensitive device and presence information when configured with an API key.

Install only if you are comfortable letting the agent query your Fing Local API. Keep FING_API_KEY private, use localhost or a trusted local/LAN Fing agent for FING_API_HOST, and prefer summary output unless you specifically need detailed device or people/presence data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes a Python helper, reads environment variables and a workspace .env file, and performs network requests to a local HTTP API, but the skill metadata declares no permissions. This creates a capability/visibility gap: operators and policy systems may treat the skill as less privileged than it actually is, while it can still access secrets like FING_API_KEY and query sensitive local network inventory data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script defaults to plain HTTP and sends the API key as a query parameter, which can expose the credential through local network interception, reverse proxies, browser/history equivalents, or server/access logs. Even if the default host is localhost, the tool allows arbitrary hosts and provides no enforcement or warning when transmitting credentials insecurely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.