Security audit

Skill Preflight

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it reads configured local Markdown docs, embeds them through Ollama, and injects relevant context into agent runs, with remote-Ollama privacy risks disclosed.

Keep Ollama set to localhost unless you explicitly trust the remote server, and do not put secrets, API keys, or untrusted instructions in indexed skills, protocols, TOOLS.md, or pinned docs. Verify the package name before installing from npm because the README command does not match the reviewed package.json name.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill explicitly documents network communication with an Ollama server via `ollamaBaseUrl`, but no permissions declaration is described despite requiring network capability. This creates a trust and review gap: operators may assume the skill is local-only while it can transmit prompts and indexed document contents over HTTP, especially if misconfigured to a remote host.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documentation markets the skill as using local embeddings with 'no API calls,' but later admits it can send prompt text and full indexed markdown content—including secrets and credentials—to a remote Ollama host if configured. It also injects additional content like `TOOLS.md` and pinned documents that are not reflected in the top-level description, which can mislead users about what data is indexed and inserted into agent context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical

Code: suspicious.dynamic_code_execution
Location: dist/index.js:23