Back to skill

Security audit

Network Hot - 全网热搜榜

Security checks across malware telemetry and agentic risk

Overview

This skill narrowly fetches trending topics from TianAPI using a user-provided API key, with no evidence of hidden collection, persistence, or destructive behavior.

Safe to install for its stated purpose, but prefer setting TIANAPI_NETWORK_HOT_KEY as an environment variable or a restricted local secret file. Avoid putting the API key directly in shell commands, URLs, screenshots, logs, or shared terminal history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
76% confidence
Finding
The skill metadata declares runtime requirements but does not explicitly declare permissions despite documented use of environment variables, local file access (.env), and outbound network calls. This creates a transparency and governance issue: users and platforms may not have clear visibility into what resources the skill needs, increasing the chance of overbroad or surprising access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation tells users to pass the API key on the command line and embed it in a GET URL. Secrets supplied this way can leak through shell history, process listings, logs, browser history, proxy logs, and monitoring systems, exposing the API key to other local users or infrastructure operators.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.