Back to skill

Security audit

Strykr Qa Bot

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed QA testing tool for the Strykr website, with expected network access, browser actions, screenshots, and reports for that purpose.

Install this only if you intend to run automated tests against Strykr or an authorized Strykr-like environment. Treat generated screenshots, console logs, and reports as potentially sensitive, and pin or review the web-qa-bot dependency before using it in CI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly instructs users to run network-capable tests against https://app.strykr.ai and references API health checks, but it declares no permissions. This creates a trust and review gap: hosts may execute a skill with outbound connectivity they were not warned about, undermining sandboxing and permission-based risk decisions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.