food-expiry-reminder

Security checks across malware telemetry and agentic risk

Overview

This is a local food-expiry tracker that stores inventory in a JSON file and does not show hidden network, credential, or broad filesystem behavior.

Before installing, be aware that food inventory and notes will be stored locally in data/food_data.json. Clear the bundled sample records before personal use if needed, back up the file if the inventory matters, and only add cron or other scheduled reminders if you intentionally want recurring checks.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation describes persistent file read/write behavior (`food_data.json`) but does not declare corresponding permissions. Undeclared storage capabilities reduce transparency and can lead users or hosting systems to grant broader trust than warranted, especially because the skill supports modifying and deleting stored records. In this context the issue is not overtly malicious, but it is a real security and governance weakness around data access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal