MuPiBox Media DB

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed MuPiBox database manager that can change media entries and create local backups, but the reviewed artifacts do not show hidden or deceptive behavior.

Install only if you intend to let an agent manage your MuPiBox media database. Check that --base-url points to your MuPiBox backend, review add/delete/move/restore operations before running them, keep backup files private, and restore only from backup JSON files you trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation describes and encourages use of a bundled Python script that performs network access to a backend API and local file reads/writes for backups, but the skill declares no permissions. This creates a capability-transparency gap: an agent or reviewer may authorize or run the skill without understanding that it can modify remote media data and write local backup files, which increases the risk of unauthorized changes, SSRF-like misuse via configurable base URLs, or unintended access to sensitive local paths during restore operations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal