Security audit

Httpstat

Security checks across malware telemetry and agentic risk

Overview

This is a coherent HTTP timing/debugging skill whose network behavior is expected, but users should avoid sending real secrets in example requests.

Install only if you want the agent to make live HTTP requests for debugging. Use placeholder tokens in examples, avoid sending secrets or private payloads unless you trust the destination, and be aware that request headers, bodies, URLs, and responses may be visible to the target server and in local command output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation indicates capabilities to invoke Python, shell, and outbound network access, but no permissions are declared to make those capabilities explicit. This can cause users or a hosting platform to underestimate the skill's ability to contact arbitrary external URLs and send request data off-system.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly demonstrates making live HTTP requests, including an example with an Authorization bearer token, but provides no warning that headers and body data will be transmitted to the target server and may appear in logs, shell history, or screenshots. In a networking/debugging skill, users are likely to copy-paste examples, so omission of a safety note can lead to accidental disclosure of real credentials or sensitive payloads.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The usage examples encourage making HTTP requests, including POST requests with arbitrary body data, but provide no warning that user-supplied URLs, headers, or payloads may be transmitted to external services. In an agent setting, this creates a real risk of unintended data exfiltration, including secrets in headers or sensitive content in request bodies.

External Transmission

Medium

Category: Data Exfiltration
Content: --- name: httpstat description: Pretty HTTP response statistics with timing waterfall. Use when asked to check a URL's response time, debug slow requests, measure TTFB, or get HTTP timing breakdown. Like curl -v but readable. Zero dependencies. --- # httpstat ⚡
Confidence: 85% confidence
Finding: curl -v but readable. Zero dependencies. --- # httpstat ⚡ Pretty HTTP timing statistics. Shows DNS, TCP, TLS, TTFB, and transfer times. ## Usage ```bash # Basic timing python3 scripts/httpstat.py

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.