Crypto News

Security checks across malware telemetry and agentic risk

Overview

This skill appears to fetch crypto news from a disclosed external API using a user-provided API key, with no evidence of hidden persistence, credential theft, or destructive behavior.

Install only if you are comfortable giving the skill a BlockBeats API key and allowing it to contact the BlockBeats API. Prefer a dedicated, revocable API key, and avoid sharing unrelated secrets in the same runtime environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares required binaries and environment variables and instructs execution of a Node.js script that will likely make outbound requests, but it does not explicitly declare permissions for sensitive capabilities such as network and env access. This creates a transparency and policy-enforcement gap: users or platforms may not realize the skill can access secrets and external services, increasing the risk of unintended data exposure or over-privileged execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal