Jackal Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears to provide encrypted agent memory storage with sensitive but purpose-aligned local key handling and network persistence.

Before installing, confirm you are comfortable with an agent storing encrypted memories through a remote service and managing local encryption keys. Avoid storing secrets unless you understand how keys are created, backed up, rotated, and deleted.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill performs sensitive actions including reading environment variables, reading and writing local files, and making network requests, but it does not declare corresponding permissions. This creates a transparency and consent problem: an agent or platform may invoke the skill without clearly surfacing that it can access secrets, persist local data, and exfiltrate encrypted or plaintext-derived content to a remote service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal