Back to skill

Security audit

Propzapi Full

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed PropzAPI sports-odds integration that uses one API key to make expected API calls and shows no hidden local access or persistence.

Install this only if you are comfortable providing a PropzAPI key, sending sports-odds queries to PropzAPI, and spending metered PropzAPI credits when the tools are called. The skill does not appear to access local files or credentials beyond the disclosed PROPZAPI_KEY.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill requires both an environment secret (`PROPZAPI_KEY`) and outbound network access, but it does not explicitly declare permissions beyond metadata hints. That creates a transparency and policy-enforcement gap: a host may not be able to clearly review or constrain what sensitive inputs and network capabilities the skill needs before use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.