Back to skill

Security audit

Mcp Skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only wrapper for Exa research tools, with the main caution that searches and research inputs go to an external service.

Install this only for research workflows where sending lookup inputs to Exa is acceptable. Avoid entering secrets, credentials, private code, regulated data, or confidential business information unless you have separately reviewed and accepted the provider’s data-handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly wraps an external MCP service and advertises web search, crawling, and research capabilities, but it does not disclose that user prompts, search terms, and possibly retrieved context may be transmitted to a third-party endpoint. This creates a real data exposure and privacy risk, especially if users provide sensitive inputs or if downstream tool outputs are fed back into the external service without clear notice or consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.