Find RSS

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward RSS finder that runs a disclosed script and contacts the website the user supplies, with no evidence of hidden data access or persistence.

Install if you are comfortable with a skill that runs a bash script and makes web requests to the URL you provide plus common feed paths. Use it for public websites you intend to query, and avoid pointing it at localhost, private network hosts, internal services, or sensitive URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation instructs the agent to invoke a shell script, but the skill declares no permissions. That mismatch can bypass user and platform expectations about what the skill is allowed to execute, increasing the risk of unreviewed command execution or unsafe URL handling in the referenced script.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal