Back to skill

Security audit

Mysteel_MarketAnalysis

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Mysteel commodity-analysis connector that reads a local API key and sends market-analysis queries to Mysteel, with no evidence of hidden or destructive behavior.

Install only if you trust Mysteel with the market queries you submit and can protect the API key stored in references/api_key.md. Avoid including confidential business details in queries unless that is acceptable under your Mysteel access terms, and use careful argument quoting when running the helper script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to read a local credential file and invoke a Python script that calls an internal API, but it declares no corresponding permissions. This creates a capability/permission mismatch that can bypass expected review and sandbox controls, increasing the risk of unauthorized file access, secret handling, and network use.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger conditions are broad enough to overlap with ordinary commodity-related questions, which can cause the skill to activate unexpectedly. In this skill, unintended activation is more sensitive because activation leads to credential-file checks and potential network calls to an internal service rather than a harmless local transformation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.