Google Trends RSS

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it fetches public Google Trends RSS data and optionally saves user-requested exports.

Before installing, be aware that running the daily command contacts Google Trends and that --out can create or overwrite the file path you provide. Choose output paths carefully and review the included Python script if the limited publisher provenance matters to you.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documentation instructs use of a script that performs network access to Google Trends RSS and can write output to arbitrary file paths via `--out`, but the skill declares no permissions. This mismatch is a real security issue because undeclared capabilities reduce transparency and can enable unexpected data egress or filesystem modification when the skill is invoked in an automated environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal