Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Linkfuse
Security checks across malware telemetry and agentic risk
Overview
Linkfuse does what it claims: it uses a Linkfuse API token to turn a user-provided URL into a short affiliate link.
Install only if you are comfortable giving the skill a Linkfuse API token and sending shortened URLs to Linkfuse. Use proper shell escaping for URLs, avoid shortening secret-bearing private URLs, and only copy the result to your clipboard when you explicitly want that.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Missing User Warnings
Medium
- Confidence
- 90% confidence
- Finding
- The markdown instructs the agent to offer copying the generated short URL to the clipboard and provides a shell command that writes to the user's clipboard. This affects user system state, but the skill description does not include any warning about clipboard modification or the need for explicit user consent before running the command.
VirusTotal
66/66 vendors flagged this skill as clean.