Back to skill

Security audit

IDFM Journey

Security checks across malware telemetry and agentic risk

Overview

This is a real IDFM transit lookup skill, but it includes an undocumented option that can send the user's API key to any base URL.

Review before installing. Use only a dedicated IDFM PRIM API key, keep the default official endpoint, and do not allow prompts or command examples to add --base-url unless you fully trust that destination. Rotate the key if it may have been sent to a non-IDFM host.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation instructs use of a bundled script that reads an environment variable (`IDFM_PRIM_API_KEY`) and makes outbound network requests, but the skill declares no permissions for those capabilities. This creates a transparency and governance gap: users or platforms may execute code with access to secrets and the network without explicit consent boundaries, increasing the risk of secret misuse or unexpected data exfiltration if the script is changed or behaves unsafely.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill is supposed to query only IDFM/Navitia, but the CLI exposes an arbitrary --base-url override and still attaches the IDFM API key to every request. If an attacker can influence invocation arguments, they can redirect requests to an attacker-controlled server and exfiltrate the API key or force the tool to access unintended network locations, which is a classic capability expansion/SSRF-style issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.