Back to skill

Security audit

Mcp Builder test

Security checks across malware telemetry and agentic risk

Overview

This MCP-building skill is mostly coherent, but its optional evaluator can let an AI call any connected MCP server tool and record sensitive tool data, so it needs review before use.

Install only if you are intentionally building or evaluating MCP servers. Run the evaluator only against trusted test servers or read-only credentials, avoid production accounts, avoid putting real tokens directly on the command line, and assume tool inputs, outputs, and reports may contain sensitive data unless you add allowlisting and redaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to create files and build MCP servers, but the metadata shown here does not declare corresponding permissions. In agent environments, undeclared file-write and MCP/network-like capabilities reduce transparency and can lead to unexpected side effects such as writing project files or interacting with external services without explicit user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared description presents the skill as a documentation guide, but the detected behavior indicates materially broader operational capabilities, including connecting to MCP servers, invoking tools, parsing evaluation artifacts, contacting Anthropic, and generating reports. This mismatch is dangerous because users or policy systems may trust the skill as informational while it can actually perform external interactions and automated evaluation workflows with broader data access and side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The resource example constructs a local filesystem path directly from a user-controlled `{name}` parameter and reads it with `open()` without any path normalization, allowlisting, or sandboxing. In a guide for building MCP servers, this pattern can be copied into real implementations and lead to path traversal or unintended disclosure of local files such as secrets, configs, or source code.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example instructs the tool to request an API key via `ctx.elicit(..., input_type="password")` but provides no guidance on secure handling, storage, redaction, or minimization of sensitive credentials. In an instructional skill, this normalizes collecting secrets in-tool and may cause downstream implementations to log, persist, or retransmit user credentials insecurely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.