Mxe

Security checks across malware telemetry and agentic risk

Overview

The skill has a clear Markdown export purpose, but its setup can build and globally link an unreviewed local Node tool from a hard-coded developer path.

Install only if you can inspect and trust the actual `mxe` source at the referenced local path, or replace it with a reviewed and pinned package. Expect URL inputs to contact third-party sites, and remember that local images referenced by Markdown may be embedded into exported documents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The skill explicitly supports fetching remote URLs, but it does not warn the user that using a URL will trigger outbound network access and retrieval of untrusted remote content. In an agent setting, this can cause unintended data egress, unexpected contact with external hosts, or processing of malicious web content without clear user awareness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal