Back to skill

Security audit

Code Right Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed remote document-generation helper that sends a system name and email to softcraft.cloud to create a job and email a download link.

Install only if you trust softcraft.cloud with the software/system name, recipient email, generated documents, and any optional access token. Confirm the destination email before use, especially for confidential business or legal materials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly describes networked behavior including contacting a remote service, sending notification emails, and providing download links, yet no explicit permissions are declared. This creates a transparency and control gap: an agent or platform may invoke external communications and data transfer without the user being clearly informed through the permission model.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation example invites a broad natural-language request to 'generate copyright materials and send them to an email' without stating constraints, confirmation steps, or safety checks. In an agent setting, this increases the chance of unintended task execution, misuse of third-party email addresses, or transmission of sensitive generated content without sufficiently explicit user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description emphasizes automated document generation, packaging, and email delivery but does not warn users that provided email addresses and generated materials will be transmitted through external services. This omission can lead to privacy, confidentiality, and compliance issues, especially because the generated documents may contain business-sensitive descriptions and screenshots.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.