Security audit

turingsenseai-classify-skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed product-image classification skill that uses a remote Turing MCP service with user-provided API credentials.

Install only if you trust the Turing MCP endpoint and are comfortable storing project-scoped API credentials for it. Use scoped or test credentials where possible, review setup.sh before running it, and only provide image URLs you are willing to send to the external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script passes API credentials directly to `mcporter config add` as headers, which likely causes long-lived secrets to be stored in local tool configuration without explicit user warning or safeguards. If that configuration is readable by other local users, synced, logged, or later exposed by diagnostic commands, the credentials could be recovered and abused to access the MCP service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.