Security audit

Cputemp

Security checks across malware telemetry and agentic risk

Overview

The script itself appears low-risk, but the package is not coherent because its documentation describes a Yahoo Finance stock skill while the script reads local Raspberry Pi temperature data.

Review this package carefully before installing. The temperature script may be harmless for a Raspberry Pi user, but the skill should be renamed and documented accurately, or the script should be replaced with the promised Yahoo Finance functionality.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script's behavior is inconsistent with the declared skill purpose: instead of fetching Yahoo Finance stock data, it reads local Raspberry Pi CPU and GPU temperature information. This mismatch is dangerous because it can mislead reviewers and users about what the skill actually does, enabling unauthorized local system inspection and eroding trust in the agent's permissions and behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal