Beaconchain

Security checks across malware telemetry and agentic risk

Overview

This is a small, disclosed Beaconcha.in dashboard checker whose API key use and network access match its stated purpose.

Install only if you are comfortable providing a Beaconcha.in API key and dashboard ID. Prefer environment variables over passing the API key on the command line, use the least-privileged/read-only key available, and avoid sharing JSON or error output publicly because it can include dashboard and account-status details.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill consumes sensitive environment variables and performs outbound network access, but it does not declare explicit permissions for those capabilities. Undeclared access weakens the trust boundary for users and hosting platforms because the skill can handle secrets and exfiltrate data over the network without a clear permission contract. In this specific skill, the described behavior appears aligned with its stated purpose, so the issue is more a transparency and governance vulnerability than an obviously malicious backdoor.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal