Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Agent Rate Limiter
Security checks across malware telemetry and agentic risk
Overview
This skill is a local rate-limit helper that behaves consistently with its stated purpose and does not show hidden data collection or unsafe actions.
Install this if you want your agent to throttle itself based on local estimates. Review any prompt, heartbeat, or cron integration before enabling it, keep RATE_LIMIT_STATE pointed at a non-sensitive JSON path, and remember that reset clears prior limiter history.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Missing User Warnings
Low
- Confidence
- 88% confidence
- Finding
- This markdown file documents that the skill writes a JSON state file and that `reset` clears all history, but it does not present this as a safety warning about modifying local files or deleting persisted tracking data. For a skill description, user-facing disclosure about local state persistence and reset side effects would make the data-impact behavior clearer.
VirusTotal
66/66 vendors flagged this skill as clean.