OneABC

Security checks across malware telemetry and agentic risk

Overview

This is a small disclosed OneABC API wrapper that sends user prompts and an API key to the configured OneABC-compatible endpoint when the user runs it.

Install only if you trust OneABC or the configured ONEABC_BASE_URL with your prompts and API key. Prefer setting a dedicated ONEABC_API_KEY, avoid relying on an unrelated OPENAI_API_KEY, and check ONEABC_BASE_URL before running commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill explicitly instructs use of environment variables containing API keys and calls a remote API endpoint, but it declares no permissions despite requiring env and network capabilities. This creates a transparency and governance gap: a user or platform may invoke the skill without realizing it can read secrets from the environment and send prompts or metadata over the network.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal