Scanblitz

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ScanBlitz QR-code integration, but users should understand that it uses a ScanBlitz API key, can change or delete live QR codes, and includes an optional third-party QR image renderer.

Install only if you trust ScanBlitz with your QR destinations and scan analytics. Protect SCANBLITZ_API_KEY, review any update/delete/bulk-create commands before running them, avoid the optional third-party QR image renderer unless sharing the ScanBlitz tracking URL with that service is acceptable, and only enable the optional MCP/npx server if you trust that package.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The skill introduces an unrelated third-party service, api.qrserver.com, to render QR images even though the declared capability is centered on the ScanBlitz API. This expands the trust boundary and causes user-supplied scan URLs and metadata to be transmitted to an additional external party without clear necessity or strong justification, creating avoidable privacy and supply-chain risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal