Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Security audit
Super Mcp Client 1.0.3
Security checks across malware telemetry and agentic risk
Overview
This is a disclosed MCP client that connects to user-specified servers and does not show hidden persistence, credential theft, or destructive behavior.
Install only if you intend to connect to MCP servers you control or trust. Review a server's listed tools and resources before calling tools or reading resources, and be careful with API keys and file:// resource requests.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)
Vague Triggers
Medium
- Confidence
- 91% confidence
- Finding
- This is a markdown/manifest-scoped vague-trigger issue because the description presents the skill as a general integration capability across 'tools, data sources, and services' without stating when it should or should not be used. It provides no explicit trigger phrases, scope limits, or exclusion conditions, making the activation context ambiguous.
VirusTotal
65/65 vendors flagged this skill as clean.
Static analysis
No suspicious patterns detected.