ScopeBlind protect-mcp

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-aligned security gateway skill, but users should treat its shadow-mode logs as potentially sensitive.

Before installing, confirm where shadow-mode logs are written, whether they include tool arguments or prompt text, and how to redact or disable sensitive logging. Use protected storage, limit access to logs, and avoid enabling broad shadow logging in workspaces that handle secrets unless retention and redaction are clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill explicitly advertises a shadow mode that logs every tool-call decision, but it does not warn that those logs may contain sensitive prompts, tool arguments, file paths, tokens, or other secrets passed through the proxy. In a security-gateway skill, users may assume logging is inherently safe, so omission of data-sensitivity guidance can lead to unintended retention or exposure of confidential information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal