今日热榜

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public trending-topic lists from Weibo, Douyin, and Baidu and does not show credential access, local data collection, persistence, or destructive behavior.

Install if you are comfortable with the skill contacting Weibo, Douyin, and Baidu when invoked. Verify any required Python dependencies such as requests and lxml before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill appears to require network access to fetch live trending topics from external platforms, but the manifest does not declare any corresponding permission. Undeclared network capability weakens transparency and permission governance, making it harder for users or the platform to assess data egress and external dependencies. In this context the functionality does legitimately need network access, which lowers suspicion of maliciousness, but the missing declaration is still a real security and compliance issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal