Back to skill

Security audit

Salesforce Skill

Security checks across malware telemetry and agentic risk

Overview

The Salesforce skill is coherent for Salesforce administration, but it gives an agent broad org-changing power and includes credential-revealing workflows without enough containment guidance.

Install only if you trust the publisher and will use it against Salesforce orgs where you are comfortable granting broad CLI authority. Do not let the agent print, save, or summarize raw auth output; redact tokens, auth URLs, instance/session details, and private key paths. Prefer sandbox orgs and least-privileged Salesforce users, and require explicit confirmation before Apex execution, raw API calls, or bulk data changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly documents `sf org display --json` and `--verbose` output as exposing access tokens and SFDX auth URLs, but it does not pair these examples with a strong warning not to print, persist, or share the resulting secrets. In an agent skill context, users may ask for command execution and result summarization, so documenting secret-revealing commands without containment guidance increases the chance of credential disclosure into chat logs, files, or downstream tools.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The authentication section includes examples using JWT key files, access tokens, and SFDX auth URL files, all of which are credential-bearing materials, but it lacks guidance on secure handling. In a skill intended for operational use, this can normalize passing secrets via files or command lines without warning about exposure through shell history, logs, shared workspaces, or agent output.

Credential Access

High
Category
Privilege Escalation
Content
# List all authenticated orgs
sf org list --json

# Display info about the default org (access token, instance URL, username)
sf org display --json

# Display info about a specific org
Confidence
95% confidence
Finding
access token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.