Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
City of Lethbridge Open Data
Security checks across malware telemetry and agentic risk
Overview
This skill appears to query public City of Lethbridge open-data sources with a user-run Python CLI and no hidden or unrelated behavior.
Install this if you are comfortable with a user-invoked Python script making public open-data requests and creating a small local cache. Use fetch limits for large datasets; CSV output is printed rather than silently saved.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)
VirusTotal
66/66 vendors flagged this skill as clean.