Back to skill

Security audit

Ainative Mcp Builder

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only developer guide whose remote API and memory examples are visible and aligned with its MCP-building purpose.

Reasonable to install as a developer guide. Before using the examples, keep API keys in environment variables or secret storage, avoid committing secret-bearing MCP config files, and do not send secrets, regulated data, or sensitive prompts to remote memory unless you intentionally want AINative to receive and retain that content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill provides copy-pastable examples that transmit queries and content to remote memory APIs and persist data, but it does not warn users that prompts, memories, or other potentially sensitive information will leave the local environment and be stored remotely. In an agent-skill context, that omission is security-relevant because users may enable or adapt these examples without realizing they are creating data egress and persistence paths.

External Transmission

Medium
Category
Data Exfiltration
Content
@mcp.tool()
def search_memory(query: str, limit: int = 5) -> dict:
    """Search agent memory semantically."""
    return requests.post(
        f"{BASE}/api/v1/public/memory/v2/recall",
        headers={"X-API-Key": API_KEY},
        json={"query": query, "limit": limit}
Confidence
89% confidence
Finding
requests.post( f"{BASE}/api/v1/public/memory/v2/recall", headers={"X-API-Key": API_KEY}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
@mcp.tool()
def store_memory(content: str, memory_type: str = "episodic") -> dict:
    """Store a fact or event in agent memory."""
    return requests.post(
        f"{BASE}/api/v1/public/memory/v2/remember",
        headers={"X-API-Key": API_KEY},
        json={"content": content, "memory_type": memory_type}
Confidence
95% confidence
Finding
requests.post( f"{BASE}/api/v1/public/memory/v2/remember", headers={"X-API-Key": API_KEY}, json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.