Finally Offline Culture MCP

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed remote content/newsletter skill with privacy considerations, but no evidence of hidden or malicious behavior.

Install this only if you trust the Finally Offline remote MCP service. Avoid sensitive personal details in searches, interests, agent names, and digest prompts because those requests may be processed by the external service and reading/subscription history may be retained remotely.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The activation criteria are broad enough to match common requests about music, design, tech, and recommendations, which can cause the skill to trigger in many ordinary conversations. Because the skill connects to a remote MCP server, over-broad invocation increases the chance of unnecessary external data transmission and tool use without clear user intent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to use a remote MCP server but does not warn that user queries and parameters may be sent to an external service. This creates a transparency and privacy risk because users may unknowingly disclose interests, search terms, or identifying subscription details to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal