Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Sync Debox Docs
Security checks across malware telemetry and agentic risk
Overview
This skill transparently downloads public DeBox documentation into a user-chosen folder and summarizes it, with behavior that matches its stated purpose.
Install this only if you want an agent to contact DeBox documentation pages and related documentation resources, then write a local mirror and summary. Choose a dedicated empty output folder, because the script manages files there and may remove stale files it previously recorded after a successful sync.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)
VirusTotal
64/64 vendors flagged this skill as clean.