Back to skill

Security audit

Perplexity Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward AIsa/Perplexity search skill that sends user prompts to the expected external API using a declared API key.

Install this only if you intend to use AIsa/Perplexity search. Keep AISA_API_KEY protected, and avoid sending secrets, private documents, or sensitive personal data unless you are comfortable sharing that content with the external API provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly requires an API key from the environment and performs outbound network requests, but it does not declare corresponding permissions. This creates a capability/visibility gap: operators may invoke the skill without realizing it can transmit user prompts and possibly sensitive data to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.