Back to skill

Security audit

octen web search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Octen web-search helper that sends a user’s query and Octen API key to Octen’s HTTPS search API, with no hidden persistence or local data access found.

Before installing, confirm you trust Octen with your search queries and API key. Keep OCTEN_API_KEY scoped and stored securely, rotate it if exposed, and avoid sending sensitive private information as search queries unless Octen’s privacy and retention practices meet your needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares required environment variables and clearly describes outbound API usage, but it does not declare permissions despite needing both environment access and network access. This creates a transparency and policy-enforcement gap: users or orchestrators may approve the skill without realizing it can read a secret and transmit data off-host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.