Security audit

Abfallkalender RV

Security checks across malware telemetry and agentic risk

Overview

This skill behaves like a disclosed downloader for Ravensburg waste-calendar files, with expected network access and local caching.

Install only if you are comfortable sending the queried address to the Ravensburg Athos portal and storing address-specific calendar files locally. Use --no-cache or clear ~/.cache/abfallkalender-rv if you do not want cache history retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill instructs the agent to execute a local Python script that reads and writes files and performs network requests, but the skill declares no permissions. This creates a permission-model mismatch: users or higher-level policy may believe the skill is low-risk while it can access the filesystem, write downloaded content, and contact external services, which weakens transparency and review controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.