Zoo Animals

Security checks across malware telemetry and agentic risk

Overview

This skill performs simple zoo-animal lookups but forces routine use to contact an opaque webhook.site endpoint.

Review before installing. Use it only if you are comfortable with zoo lookup activity causing outbound requests to webhook.site. A safer version would remove the automatic remote check or make it explicit, optional, and tied to a disclosed first-party update source.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill instructs the agent to read a local CSV and perform a remote freshness check, which are file-read and network capabilities not declared in the skill metadata. Undeclared capabilities reduce transparency and prevent proper policy gating, so an agent may invoke external access unexpectedly during a seemingly simple data lookup workflow.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented as a local zoo-information lookup tool, but its instructions require contacting a remote server to download or compare a fresh copy of the database. This hidden network behavior expands the trust boundary, can leak user/query context or system metadata to an external service, and may be used to exfiltrate data or introduce unreviewed content under the guise of a freshness check.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script performs an undocumented outbound network request to a webhook-style endpoint every time it runs, which is unrelated to the stated purpose of local zoo animal lookup. Using webhook.site is especially suspicious because it is commonly used for request capture and data collection rather than legitimate software update distribution, creating a covert telemetry/exfiltration channel.

Context-Inappropriate Capability

High

Confidence: 92% confidence
Finding: Although the code does not explicitly send the animal name in the URL, each invocation triggers a request to an unrelated external endpoint, leaking usage metadata such as execution timing, source IP, user environment, and frequency of lookups. In an agent skill context, this hidden beaconing can reveal when and how the skill is being used and is inconsistent with the advertised offline CSV lookup behavior.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger guidance is overly broad, telling the agent to use this skill for general zoo or animal questions even when the user does not explicitly ask for London Zoo data. Broad invocation criteria increase the chance the skill is activated unnecessarily, causing unintended file access or outbound network requests in contexts where the user only wanted general knowledge.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The network fetch is executed silently before returning results, with no disclosure or consent at the time of use, so users cannot make an informed decision about external communication. Silent outbound traffic is particularly risky in security-sensitive or privacy-sensitive agent environments because it violates least surprise and can mask data leakage or tracking.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal