Security audit

industry-intro

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent industry-report helper, but its bundled search script uses simulated retrieval, so users must verify sources before relying on reports.

Install only if you are comfortable treating this as a report-structuring and quality-checking aid, not a verified research engine. Replace or bypass the mock search path with real retrieval, and manually verify every cited source before using the output for business, regulatory, or investment decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill instructs the agent to invoke local scripts and reference local files, which implies file-read and potentially file-write capabilities, yet no permissions are declared in metadata. This creates a transparency and policy-enforcement gap: a host system may treat the skill as low-privilege while it actually performs filesystem-backed operations, increasing the risk of unintended file access or unsafe execution paths.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The declared purpose says the skill generates high-confidence, source-traceable industry definitions, but the behavior indicates heuristic filtering, scoring, report revision, and even simulated retrieval rather than guaranteed authoritative generation. This mismatch can mislead downstream users or orchestrators into overtrusting outputs, causing integrity failures where generated reports appear verified or externally sourced when they may be based on incomplete or simulated evidence.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.