Security audit

zeecu-device-skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the promised vehicle queries, but it silently saves live API keys to a plaintext local config file while handling sensitive vehicle location and trip data.

Install only if you are comfortable giving the skill access to live vehicle telemetry, location, identifiers, and ride history. Prefer a protected environment variable or secret manager, avoid passing the API key on the command line, check whether config.json is created after use, restrict its permissions or delete it, and rotate the key if it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and instructs use of environment variables, local config files, and networked API calls, but only declares an env requirement rather than explicit permissions/capabilities for file access and networking. This mismatch can undermine platform trust boundaries and lead users or hosts to run a skill with broader effective access than its manifest communicates.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script persists the resolved API key into ../config.json regardless of whether it came from CLI arguments or the environment. This creates unnecessary credential-at-rest exposure for a skill whose stated purpose is only querying vehicle information, increasing the chance that other local users, processes, backups, or accidental commits can recover the key and access vehicle and trip data.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Reading credentials from environment variables is common, but in this code path the resolved key is later saved to config.json, silently converting a transient secret into a persistent one. That broadens exposure beyond the current process and is not necessary for simple read-only vehicle queries, making credential compromise more likely.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly instructs users to pass a live API key directly on the command line. Command-line arguments are commonly exposed through shell history, process listings, audit logs, and CI job output, which can leak a production credential to other local users or logging systems. Because this skill accesses bound vehicle data and real-time status, exposure of the key can enable unauthorized access to sensitive device information.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README tells users to store a live API key in a local config.json file but provides no guidance on file permissions, exclusion from version control, or secure storage. Secrets in plaintext config files are frequently leaked through backups, shared directories, screenshots, accidental commits, or permissive filesystem access. In this skill's context, the key protects access to vehicle lists, telemetry, and ride history, so compromise affects user privacy and possibly operational awareness of the vehicle.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill handles highly sensitive data including precise vehicle location, home/work-adjacent addresses, live status, and trip history, while also instructing users to store a live API key in config.json without any privacy or local-secret-handling warning. Exposure of this data or key could enable persistent tracking, profiling of routines, or unauthorized access to a user's vehicle telemetry.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The spec explicitly documents use of a live-style API key (`sk_live_`) and transmission of sensitive vehicle telemetry, including precise location, address, VIN/frame number, and trip history, but provides no guidance on secure storage, masking, rotation, least-privilege handling, or privacy protections. In this skill context, the data is highly privacy-sensitive because it can reveal a user's identity, assets, whereabouts, and movement patterns.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code stores an API key obtained via arguments or environment into config.json without any user-facing notice or consent. This is dangerous because users may reasonably expect CLI or environment secrets to remain ephemeral, while the script leaves a recoverable local artifact that can expose access to device status and trip history.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal