Back to skill

Security audit

sense-privacy-guard

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local privacy scanner that may block file operations, with no evidence of exfiltration, persistence, or destructive behavior.

Use this only if you want strict local keyword-based blocking before file operations. Expect false positives, especially because the script also blocks company-confidential terms. Install dependencies in a virtual environment and consider pinning reviewed versions before scanning untrusted PDF, DOCX, or XLSX files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to read and inspect arbitrary local files via a scanning script, but it does not declare corresponding permissions. This creates a capability/permission mismatch: users or orchestrators may not realize the skill can access file contents, undermining transparency and policy enforcement even if the stated goal is protective.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pdfplumber
python-docx
openpyxl
Confidence
98% confidence
Finding
pdfplumber

Unpinned Dependencies

Low
Category
Supply Chain
Content
pdfplumber
python-docx
openpyxl
Confidence
99% confidence
Finding
python-docx

Unpinned Dependencies

Low
Category
Supply Chain
Content
pdfplumber
python-docx
openpyxl
Confidence
99% confidence
Finding
openpyxl

Known Vulnerable Dependency: python-docx — 2 advisory(ies): CVE-2016-5851 (Improper Restriction of XML External Entity Reference in python-docx); CVE-2016-5851 (python-docx before 0.8.6 allows context-dependent attackers to conduct XML Exter)

High
Category
Supply Chain
Confidence
97% confidence
Finding
python-docx

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High
Category
Supply Chain
Confidence
97% confidence
Finding
openpyxl

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.