Back to skill

Security audit

SilverBullet API

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed SilverBullet note-management integration, but it can read, change, and delete notes on the configured server.

Install only if you want an agent to access your SilverBullet notes. Keep SILVERBULLET_URL/base_url pointed at the intended trusted server, keep dependencies updated, and require explicit confirmation before write, append, or delete actions because they affect real notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill uses environment variables and network access to reach a SilverBullet server, but it does not declare permissions or clearly surface that capability as part of a permission model. This can lead to under-scoped review and unexpected data access or exfiltration risk because the skill can read, write, search, and delete note content over HTTP.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill description says it manages markdown pages, but it also exposes a tool to fetch SilverBullet server configuration from /.config. That broadens capability beyond document operations and may disclose sensitive deployment details such as space paths or server mode, violating least-privilege expectations and increasing reconnaissance value for an attacker or over-permissioned agent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The get_server_config tool provides direct access to server configuration without any evident access control, scoping, or user confirmation. Even if the endpoint is intended by SilverBullet, surfacing it through the MCP skill can leak operational metadata that helps enumerate the environment or reveals information users did not intend to share with the agent.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The documentation advertises a delete operation with a direct example but provides no warning, confirmation guidance, or recovery caveat. In an agentic context, this increases the chance of accidental destructive actions against user notes, especially if a model invokes the tool from natural-language intent without sufficient safeguards.

Known Vulnerable Dependency: mcp — 6 advisory(ies): CVE-2025-53366 (MCP Python SDK vulnerability in the FastMCP Server causes validation error, lead); CVE-2025-66416 (Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection); CVE-2025-53365 (MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to ) +3 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
mcp

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.