Idea Reality Validator

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it overstates its validation ability and asks users to add an unpinned external MCP tool to their agent setup.

Review before installing. Treat the included validator as a demo or stub unless the publisher documents the real MCP implementation, pins the package version, and explains what idea text is stored or sent externally. Avoid submitting confidential business ideas until storage and data-flow behavior are clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The implementation claims to validate an idea by checking multiple external sources, but it only prints simulated source names and returns a random score. In a pre-build decision tool, this can materially mislead users into starting, stopping, or pivoting based on fabricated evidence, creating a trust and integrity failure rather than a harmless placeholder.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The header comments describe real competitive scanning and validation behavior, while the code explicitly operates as a mock. This mismatch is dangerous because users and downstream agents may rely on comments and manifest-level claims as truthful descriptions of capability, causing deceptive automation outcomes.

VirusTotal

No VirusTotal findings

View on VirusTotal