Back to skill

Security audit

Fulcra Annotations

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it has an under-disclosed endpoint override that could redirect Fulcra access tokens and annotation data.

Install only if you trust the runtime environment and need an agent to write to your Fulcra account. Avoid setting FULCRA_API_BASE unless you intentionally control the target server, keep FULCRA_CLI_COMMAND restricted to the real Fulcra CLI, and review each create, update, delete, or record action before it writes account data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
candidates = [[*shlex.split(command), "auth", "print-access-token"]]
    for cmd in candidates:
        try:
            token = subprocess.check_output(
                cmd,
                env=env,
                text=True,
Confidence
89% confidence
Finding
token = subprocess.check_output( cmd, env=env, text=True, stderr=subprocess.DEVNULL, timeout=45,

Tainted flow: 'req' from os.environ.get (line 87, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers["Content-Type"] = "application/json"
    req = urllib.request.Request(API_BASE + path, data=data, headers=headers, method=method)
    try:
        with urllib.request.urlopen(req, timeout=30) as response:
            body = response.read()
            return response.status, body.decode() if body else ""
    except urllib.error.HTTPError as exc:
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as response:

Vague Triggers

Medium
Confidence
82% confidence
Finding
The default prompt and activation wording are broad enough that the skill may be invoked for generic 'annotation' or 'record this' requests without clear user intent to use Fulcra Life. In an agent environment, this can cause unintended writes to an external system, creating integrity and privacy risks if users did not explicitly mean to create or record Fulcra annotations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.