Security audit

firstdata

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed connector to a hosted FirstData lookup service, with the main caution being careful handling of the API token and off-platform queries.

Install only if you trust the FirstData hosted service. Treat FIRSTDATA_API_KEY like a password, avoid sending secrets or regulated data through the MCP unless approved, prefer manual configuration or a pinned CLI version, and rotate the token if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to connect to a third-party hosted MCP endpoint and send an Authorization bearer token, but it does not clearly warn that user queries and authentication data will be transmitted off-platform to a remote service. This creates a real privacy and credential-handling risk because users or agents may disclose sensitive prompts, research topics, or secrets without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.