Mdnew

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends a user-provided URL to markdown.new and prints the converted Markdown.

Use this for public pages or URLs you are comfortable sharing with markdown.new. Avoid private, authenticated, internal, secret-bearing, or session-specific links unless you have confirmed that sending them to an external conversion service is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill explicitly instructs the agent to fetch arbitrary URLs over the network, but the manifest does not declare any permissions. Undeclared network capability weakens security review and policy enforcement, and in an agent setting it can enable unexpected access to internal services, sensitive endpoints, or user-supplied destinations if the script is invoked on untrusted input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal