Neckr0ik Security Fixer

Security checks across malware telemetry and agentic risk

Overview

This security fixer is mostly aligned with its purpose, but it can rewrite local skill files without the confirmation its docs promise and depends on an undeclared scanner module.

Review before installing. Start with --dry-run, keep the target skill in version control, verify the missing audit/scanner dependency and command entrypoint, and do not rely on the default fix command for per-change confirmation. Avoid --auto until you have inspected the generated changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill describes capabilities to read/write files, access environment variables, and invoke shell-related functionality, but it declares no permissions. That mismatch is risky because it hides the true operational scope from reviewers and enforcement systems, making potentially dangerous behavior easier to introduce or abuse without explicit approval.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal