UniFuncs Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward web-search skill that sends search queries and a UniFuncs API key to the UniFuncs search API.

Install this only if you are comfortable sending search queries to UniFuncs and using a UniFuncs API key from your environment. Avoid sensitive private queries unless you trust the provider, use a dedicated rotatable API key where possible, and treat returned web snippets as untrusted content rather than instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill invokes Python and relies on both environment variables and outbound network access, but the metadata declares only an allowed tool and does not explicitly communicate those capabilities as permissions. This can mislead reviewers and downstream policy systems about what the skill can access, reducing transparency and increasing the chance the skill is approved or invoked in contexts where env or network access should be restricted.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The description contains very broad trigger phrases like 'search', 'find', 'look up', and 'latest updates', which overlap with a large fraction of ordinary user requests. This can cause over-invocation of the skill, leading user prompts to be unnecessarily sent to an external search service and increasing privacy, data exposure, and unintended tool-use risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal