Back to skill

Security audit

Super Mcp Integration 1.0.0

Security checks across malware telemetry and agentic risk

Overview

The plugin appears to do what it advertises, but it gives agents broad power to invoke connected external MCP tools and needs careful review before use.

Install only if you trust the MCP servers you configure and can restrict who may use the mcp tool. Prefer read-only or least-privilege MCP servers, avoid exposing raw database or mutating tools to general chat agents, require user confirmation for sensitive actions, use HTTPS, keep dependencies patched, and redact configs/logs before sharing diagnostics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to discover and invoke external MCP tools across connected servers, which is a network-capable action, yet the skill metadata shown here does not declare corresponding permissions or clearly scope that access. This creates a transparency and policy-enforcement gap: users and host platforms may not realize the skill can transmit prompts or retrieved data to third-party services and trigger external operations.

Intent-Code Divergence

Low
Confidence
97% confidence
Finding
The documentation’s 'HTTPS Connections' example tells users to use HTTPS in production but leaves the transport field set to "http", creating inconsistent secure-configuration guidance. In an MCP integration skill that brokers access to external tools and data sources, misleading transport/security settings can cause operators to deploy with weaker-than-intended protections or misunderstand whether TLS is actually enforced.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly demonstrates a database MCP tool that accepts raw SQL and shows an example query flow, but it does not pair that example with strong warnings about arbitrary query execution, sensitive data exposure, or the need for strict authorization and query restrictions. In the context of an MCP integration plugin that centralizes external tool execution for AI agents, this can normalize unsafe deployment patterns and increase the likelihood that operators expose powerful database actions to agents without adequate safeguards.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The usage guide encourages immediate external tool discovery and execution but does not warn that user input, conversation context, or derived data may be sent to remote MCP servers outside the local trust boundary. In a skill designed for dynamic tool execution, omission of this warning materially increases the risk of unintended data disclosure and unsafe third-party actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises database connectors and legal-data access without warning that such actions may expose sensitive records, execute queries against external systems, or affect confidentiality and system integrity depending on the connected MCP server. Because the skill promotes broad, dynamic integration, the missing warning makes the context more dangerous than a narrowly scoped read-only reference skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation exposes a generic MCP tool that can enumerate and invoke arbitrary external server tools, including sensitive capabilities like database querying, but it provides no warning, guardrails, or authorization guidance for high-impact operations. In an agent setting, this can normalize unsafe use of powerful connected tools and increase the likelihood of unintended data access, destructive actions, or prompt-driven tool abuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes concrete database query examples that retrieve recent orders and expose customer/business records without any guidance on authorization, data minimization, or handling sensitive output. In an agent skill, examples strongly shape agent behavior, so this can normalize broad access to production-like data and lead to unintended disclosure of personal or commercial information.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This workflow demonstrates combining internal database-derived event information with an external weather service, but it does not warn about the privacy and data-governance implications of cross-system data sharing. Even if only location/date fields are shown, such patterns can encourage agents to transmit internal operational details to third-party services without review or minimization.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The troubleshooting guide tells users to generate and share a diagnostic report containing configuration and logs, and later asks them to include configuration and error logs, but it does not prominently instruct users to scrub secrets, tokens, API keys, session identifiers, internal hostnames, or personal data first. In an MCP integration context, logs and config are especially likely to contain sensitive endpoints and credentials, so this can lead to accidental data disclosure when posting to GitHub, Discord, or email.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plugin exposes a generic `mcp` tool that will invoke any discovered remote MCP tool and forward caller-supplied arguments directly to the remote server without any confirmation, allowlisting, or policy checks. In this skill’s context, that is materially risky because MCP is explicitly designed to bridge to external tools, APIs, databases, and other powerful capabilities, so an agent or prompt injection could trigger sensitive side effects or data exfiltration through a connected server.

Known Vulnerable Dependency: @modelcontextprotocol/sdk==1.25.3 — 1 advisory(ies): CVE-2026-25536 (@modelcontextprotocol/sdk has cross-client data leak via shared server/transport)

High
Category
Supply Chain
Confidence
97% confidence
Finding
@modelcontextprotocol/sdk==1.25.3

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.