Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
call-pro
Security checks across malware telemetry and agentic risk
Overview
This is a local call-preparation helper that may handle sensitive conversation notes, but the reviewed artifacts are disclosed, purpose-aligned, and not externally sharing data.
Install only if you are comfortable keeping call notes, contacts, commitments, and follow-up history locally. Review and delete memory/calls records as needed, and verify missing helper scripts before relying on workflows beyond call preparation.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)
Vague Triggers
Medium
- Confidence
- 95% confidence
- Finding
- The manifest description says to use the skill when the user mentions "phone calls, meetings, conversations, commitments made, or follow-ups needed," which is a very broad set of everyday topics. It does not clearly define boundaries or exclusions, so the skill may be invoked for many ordinary discussions that are not intended to trigger call-management behavior.
VirusTotal
66/66 vendors flagged this skill as clean.