Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Data Analyzer
Security checks across malware telemetry and agentic risk
Overview
The skill is a user-run data analyzer, but HTML reports can include unescaped data values, which is risky for untrusted files.
Review before installing if you plan to analyze files from third parties or marketplaces. Prefer JSON output for untrusted data, treat generated HTML reports as unsafe until escaping is fixed, and use only the included analyze_data.py script rather than searching for the missing helper scripts referenced in the documentation.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)
VirusTotal
VirusTotal findings are pending for this skill version.