Wolfram Alpha

Security checks across malware telemetry and agentic risk

Overview

This is a simple Wolfram Alpha API helper that does what it says: sends a user query to Wolfram Alpha using a configured app ID.

Install only if you are comfortable sending Wolfram queries to Wolfram Alpha with your WOLFRAM_APP_ID. Avoid including secrets, private personal data, or confidential business information in queries unless that sharing is acceptable for your use case.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill declares capabilities indicating access to environment variables and outbound network use, but no explicit permissions model is declared. That creates a real security gap because the skill can read sensitive configuration such as WOLFRAM_APP_ID and transmit user-provided data to an external API without clear user-visible authorization boundaries. In a networked third-party API skill, this is more dangerous than a purely local utility because queries may contain sensitive data and the missing permission declaration reduces transparency and control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal