Security audit

scryfall-card

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Magic: The Gathering card lookup tool that sends card search terms to Scryfall and does not show hidden or destructive behavior.

Install this if you want MTG card lookup support. Your card names and search queries may be sent to Scryfall, so avoid entering unrelated private information into searches.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill clearly instructs the agent to make outbound network requests to the Scryfall API, but no explicit permissions declaration is present. That creates a policy/containment gap: a user or reviewer cannot easily tell that the skill has network capability, and in systems that rely on declared permissions for enforcement or consent, the skill could access external data without appropriate transparency.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal