St Ent Mcp Install

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed installer for a specific 699pic MCP server, with expected risks around cloning external code and storing an API key for later MCP use.

Install only if you trust the st699pic repository and the 699pic enterprise service. Review the target repo before setting ST_ENT_MCP_REVIEWED=1, use a dedicated least-privilege SERVICE_API_KEY, and remember that the project MCP registration may keep that key available to future local agent sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Natural-Language Policy Violations

Low

Confidence: 82% confidence
Finding: The manifest description specifies example invocation phrases partly in Chinese and partly in English, but does not explain whether the skill is intended only for Chinese-speaking users or whether language selection is user-driven. This can violate language/locale policy expectations when a skill appears to bias activation toward a specific language without explicit opt-in or justification.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal