Back to skill

Security audit

mtg-edh-deckbuilder

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Magic: The Gathering lookup skill that sends card-search queries to Scryfall and displays the results.

Install this if you want MTG card search through Scryfall. Be aware that card names and search terms may be sent to Scryfall, and ambiguous prompts mentioning magic or cards could trigger this skill unless your agent asks for clarification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The description says to use the skill for users who ask about MTG cards and includes broad triggers like mentions of "MTG," "Magic," deck building questions, or requests for card information. While MTG-focused, these activation conditions are not tightly scoped and do not provide exclusion conditions or negative examples, which could cause the skill to activate on general conversation about magic or cards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.