Security audit

Quantum Bridge

Security checks across malware telemetry and agentic risk

Overview

Quantum Bridge is a disclosed remote API helper for quantum circuit conversion and execution, with real privacy and credit-spending considerations but no hidden or destructive behavior found.

Install only if you trust Quantum Bridge with the circuit files, OriginIR, consensus JSON, and API key you provide. Review files before sending them, keep QUANTUM_BRIDGE_KEY private, and require explicit approval before any operation that uploads data, spends credits, or submits work to simulator or Wukong hardware.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 77% confidence
Finding: The skill demonstrates shell-based network operations via curl but does not declare corresponding permissions, which weakens the platform's trust and review model. Undeclared execution and network capability can lead to unexpected outbound requests, credential use, and reduced user visibility into what the skill is able to do.

Vague Triggers

Medium

Confidence: 75% confidence
Finding: The invocation text uses broad matching phrases such as 'use when a user asks' across several generic tasks, increasing the chance the skill activates for loosely related requests. Over-broad triggering is dangerous here because the skill can send data to an authenticated third-party service and potentially incur credit charges or expose user-provided circuit data without sufficiently specific user intent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs transmission of user circuit contents to an external API and submission to remote quantum hardware, but it does not prominently warn users that their inputs leave the local environment. In this context, circuit designs may be proprietary or sensitive research artifacts, so silent external transmission creates privacy, confidentiality, and billing risks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The transpile command reads a local QASM file and sends its full contents to a remote API, but the call site provides no runtime disclosure or confirmation. In an agent-skill context, users may reasonably think this is a local conversion tool, so sensitive circuit IP or proprietary research data could be exfiltrated off-host without clear notice.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The reverse command uploads a local OriginIR file to a remote service without explicit disclosure at execution time. OriginIR content may encode proprietary algorithms or experimental work, so silent transmission creates confidentiality risk, especially when invoked by an automated agent on behalf of a user.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The validate command appears semantically like a local syntax check, yet it uploads the entire OriginIR file to the remote API without a clear runtime notice. That mismatch between user expectation and behavior makes accidental disclosure more likely and is particularly risky in a skill designed to be used through an agent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The consensus command posts an arbitrary JSON file directly to a remote endpoint with no user-facing disclosure. Because the JSON may contain agent prompts, credentials, metadata, or other sensitive workflow data, silent upload can leak information beyond the user's expectation.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The submit command uploads local QASM to a remote service and can trigger billable execution on simulator or hardware, yet it gives no explicit runtime warning or confirmation. This creates both confidentiality risk from circuit disclosure and financial/resource-consumption risk if an agent submits jobs unexpectedly or repeatedly.

External Transmission

Medium

Category: Data Exfiltration
Content: ### Transpile QASM → OriginIR (1 credit) ```bash curl -X POST "$BASE/transpile" \ -H "Authorization: Bearer $KEY" \ -H "Content-Type: application/json" \ -d '{"qasm": "OPENQASM 2.0;\ninclude \"qelib1.inc\";\nqreg q[2];\ncreg c[2];\nh q[0];\ncx q[0],q[1];\nmeasure q[0] -> c[0];\nmeasure q[1] -> c[1];"}'
Confidence: 88% confidence
Finding: curl -X POST "$BASE/transpile" \ -H "Authorization: Bearer $KEY" \ -H "Content-Type: application/json" \ -d '{"qasm": "OPENQASM 2.0;\ninclude \"qelib1.inc\";\nqreg q[2];\ncreg c[2];\nh q[0];\ncx

External Transmission

Medium

Category: Data Exfiltration
Content: transpile) file="${1:?Usage: qbridge transpile <file.qasm>}" qasm=$(cat "$file") curl -s -X POST "$BASE/transpile" -H "$AUTH" -H "$CT" \ -d "$(jq -n --arg q "$qasm" '{qasm: $q}')" ;; reverse)
Confidence: 91% confidence
Finding: curl -s -X POST "$BASE/transpile" -H "$AUTH" -H "$CT" \ -d "$(jq -n --arg q "$qasm" '{qasm: $q}')" ;; reverse) file="${1:?Usage: qbridge reverse <file.originir>}" ir=$(cat "$file")

External Transmission

Medium

Category: Data Exfiltration
Content: file="${1:?Usage: qbridge submit <file.qasm> [simulator|wukong]}" backend="${2:-simulator}" qasm=$(cat "$file") curl -s -X POST "$BASE/submit" -H "$AUTH" -H "$CT" \ -d "$(jq -n --arg q "$qasm" --arg b "$backend" '{qasm: $q, backend: $b, shots: 1000}')" ;; poll)
Confidence: 95% confidence
Finding: curl -s -X POST "$BASE/submit" -H "$AUTH" -H "$CT" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.