Graph Limitless Mcp

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed read-only Limitless market data tool, with normal privacy and supply-chain cautions for an external npm MCP package.

Install only if you trust the npm package and are comfortable sending Limitless market queries to The Graph and Limitless endpoints. Use a dedicated revocable GRAPH_API_KEY, avoid including private information in prompts that may trigger market searches, and disable the skill if you do not want automatic Limitless-related lookups.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Low

Confidence: 93% confidence
Finding: The skill explicitly states it may be invoked autonomously when an AI agent detects a Limitless prediction market question, but the trigger description is broad and underspecified. That can cause the agent to send user prompts or derived query data to external services without sufficiently clear user intent, creating an avoidable privacy and data-sharing risk even though the documented endpoints appear legitimate and narrowly scoped.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal