Back to skill

Security audit

Deadlinks

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward broken-link checker whose file reading and web requests match its stated purpose, with some network-privacy cautions.

Install if you need a simple link checker and are comfortable with it reading the files or directories you name and contacting URLs when external checking or crawling is enabled. Avoid running it on confidential or untrusted documents without reviewing the links first, and use narrow targets, timeouts, and worker limits for automated runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and documents capabilities to read local files and make outbound network requests, but it does not declare any permissions. That mismatch is dangerous because it hides the true trust boundary of the skill, preventing proper review, consent, or sandboxing decisions before the agent accesses repository contents or contacts external hosts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool performs outbound HTTP requests to every discovered external link and to crawled pages without any explicit consent prompt, allowlist, or privacy warning. In an agent context, this can disclose internal documentation contents, user interest, IP address, and timing metadata to third-party hosts, and may also trigger requests to sensitive internal endpoints if untrusted Markdown or URLs are supplied.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.