Security audit

McPorter Local

Security checks across malware telemetry and agentic risk

Overview

This skill transparently wraps the mcporter CLI, but users should treat it as a powerful MCP control tool.

Install only if you need direct MCP server control through mcporter. Use trusted MCP servers and stdio commands, review schemas before calling tools, confirm any create/update/delete or config-changing action, avoid sending secrets to ad-hoc URLs, and stop daemons or log out when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises capabilities to edit configuration, perform authentication flows, run stdio commands, and call remote MCP endpoints, but it provides no warning that these actions can modify local state or send user-provided data and credentials to external services. In an agent setting, that omission is risky because users may invoke commands assuming they are read-only when they can instead change config, launch local processes, or transmit sensitive data off-host.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal