Back to skill

Security audit

Towns Protocol Skills

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Towns bot-building skill with expected webhook, credential, and blockchain examples, not hidden or malicious behavior.

Install only if you intend to build or operate a Towns Protocol bot. Keep APP_PRIVATE_DATA, JWT_SECRET, RPC keys, database URLs, and funded wallets out of source control; limit bot permissions and wallet funds; avoid message-body logs outside local debugging; use tunnels only temporarily; and remove wallet identifiers from public health checks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill gives contradictory guidance about the interactive payload schema: it explicitly says forms use a `type` property, but the response-handling example branches on `.case` and `component.case`. In a bot framework, this kind of mismatch can cause developers to write handlers that silently fail to recognize user actions or transaction responses, which is especially risky here because the same section discusses transaction verification and access-granting flows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The debugging example logs `event.message.slice(0, 100)`, which can capture user-provided message content and place it into application logs without any privacy warning, redaction guidance, or retention controls. In a bot/webhook context, logs are often shipped to third-party platforms or shared during troubleshooting, so this can expose sensitive user content, mentions, secrets, or regulated data beyond the intended chat audience.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The deployment guide explicitly recommends exposing a locally running bot over Tailscale Funnel or ngrok, which makes the development instance publicly reachable. In a bot/webhook context this increases attack surface and can expose test data, debug behavior, or weakly configured endpoints if readers follow the instructions without understanding the external accessibility implications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The sample health endpoint returns `bot.viem.account.address`, which discloses the bot's wallet address to anyone who can reach the endpoint. While a public address is not a secret by itself, exposing it via health checks leaks deployment metadata and can aid reconnaissance, especially when paired with a publicly exposed webhook service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.