Back to skill

Security audit

Canonry

Security checks across malware telemetry and agentic risk

Overview

Canonry is a disclosed AEO operations skill with broad but purpose-aligned integrations; it handles sensitive credentials and agent actions, so users should configure it carefully.

Before installing, treat ~/.canonry/config.yaml as a secrets file, avoid committing or sharing it, use read-only API keys or --scope read-only where practical, connect only the projects and accounts you intend Canonry to manage, and require explicit approval before running live WordPress, GBP, deletion, or bulk-change workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly instructs users to persist a Google OAuth client secret and per-user OAuth tokens in `~/.canonry/config.yaml`, and states those tokens are stored there, but provides no warning about the file's sensitivity, access controls, or encryption. If that file is readable by other local users, committed to source control, included in backups, or exfiltrated by malware, an attacker could reuse refresh tokens and client credentials to access or manage connected Google Business Profile data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup tells users to place a raw Google Places API key in configuration or an environment variable, but does not warn that API keys are bearer secrets or recommend standard Google restrictions. A leaked unrestricted key can be abused by third parties to make billable Places API calls, consume quota, or potentially access enabled API surfaces tied to the same project.

Session Persistence

Medium
Category
Rogue Agent
Content
cnry agent ask <project> "<prompt>" --provider google
cnry agent ask <project> "<prompt>" --provider deepinfra --model zai-org/GLM-5.2   # Western-hosted GLM/DeepSeek (key: DEEPINFRA_TOKEN)

# Restrict the tool surface. Default is --scope all (full read+write surface).
# --scope read-only matches the dashboard bar default so pasted "Copy as CLI"
# commands can't enable writes the UI turn couldn't perform.
cnry agent ask <project> "<prompt>" --scope read-only
Confidence
89% confidence
Finding
write surface). # --scope read-only matches the dashboard bar default so pasted "Copy as CLI" # commands can't enable writes the UI turn couldn't perform. cnry agent ask <project> "<prompt>" --scope r

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.