Back to skill

Security audit

WHO Growth Charts

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: generate WHO growth charts using user-provided child measurements, with disclosed WHO downloads and local chart/cache files.

Install if you are comfortable running Python charting dependencies, downloading WHO reference files from cdn.who.int, and storing child growth measurements/charts locally. Treat measurement JSON files and generated charts as private health-related data and delete the output/cache directory when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill performs network access to download WHO data and writes charts/cache to disk, but the manifest does not declare any permissions for those capabilities. Undeclared capabilities reduce transparency and can bypass a user's or platform's ability to make an informed trust decision, especially because the skill also handles child-related measurement data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.