Podcast Feed Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed podcast-feed API helper that uses a user-provided huisheng.fm token and a bundled curl script for its stated purpose.

Install only if you intend an agent to manage your huisheng.fm podcast feeds. Provide HUISHENG_API_TOKEN through a trusted environment, avoid pasting the token into chat, and review create/update/delete actions before authorizing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation explicitly directs the agent to invoke a shell script that performs outbound HTTP requests with curl, yet no declared permissions are present to reflect those capabilities. This creates a transparency and policy-enforcement gap: a host system or reviewer may underestimate the skill's ability to execute commands and access the network, increasing the chance of unintended token-backed API actions.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal