Back to skill

Security audit

AEO Citability

Security checks across malware telemetry and agentic risk

Overview

This skill transparently runs a local Python tool that edits user-selected static-site files to add citation metadata, with no hidden network, credential, persistence, or destructive behavior found.

Install this only for projects where you are comfortable letting the agent modify static-site HTML and create .md, llms.txt, or sitemap.xml files. Start with audit and dry-run output, review the planned changes, then run writes on a version-controlled site so edits can be reviewed or reverted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the agent to read and modify user files in place and to create new files, but it does not declare any permissions reflecting those capabilities. This creates a transparency and policy-enforcement gap: an orchestrator or reviewer may treat the skill as lower risk than it is, even though it can alter site content and generate artifacts across a target directory.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.