Knowledge Base Collector

Security checks across malware telemetry and agentic risk

Overview

The skill saves user-chosen URLs, screenshots, notes, and search metadata into a local knowledge base, with a disclosed but privacy-relevant dependency on r.jina.ai for URL extraction.

Install only if you are comfortable creating a persistent local KB and sending saved URLs through r.jina.ai for extraction. Redact tokens, verification codes, private links, screenshots, and OCR text before ingesting them, and confirm the exact target device and command before using any connected-macOS-node WeChat fallback.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill advertises and instructs use of file read/write, network access, and likely environment-dependent behavior, but declares no permissions. This creates a transparency and policy-enforcement gap: operators and automated guardrails may approve or execute the skill without understanding that it can access local files, write persistent KB data, and fetch external content, increasing the chance of over-privileged or unexpected execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The documented behavior does not match the described functionality: it relies on an external proxy fetch path, mentions a macOS-node fallback that is not actually implemented, and claims Telegram-oriented search support while only exposing local CLI search. This mismatch is security-relevant because users may route sensitive URLs, screenshots, or WeChat content under false assumptions about where data goes, what systems are contacted, and what execution paths exist.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends arbitrary user-supplied URLs to r.jina.ai, an external third-party proxy/extraction service, without any consent prompt, warning, or allowlist. In a knowledge-base collector, users may ingest private, pre-release, tokenized, or otherwise sensitive links, so forwarding them off-platform can leak confidential URLs and fetched content to an external processor.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal