Back to skill

Security audit

Motion Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Motion document editor, but it asks agents to use workspace-wide credentials and exposes powerful edit/delete/bulk actions without clear confirmation requirements.

Install only if you trust the Motion MCP server and are comfortable giving it workspace-wide access. Prefer a limited invite token or a dedicated revocable agent token, keep edits in suggestion mode, review suggestions before bulk acceptance, and require explicit confirmation before direct edits, exports, deletes, moves, or bulk accept/reject actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger phrases are broad enough to activate on generic collaboration requests like 'edit a document' or 'leave a comment,' which can cause this high-privilege skill to run outside clearly Motion-specific contexts. Because the skill can create sessions and perform workspace/document mutations, mistaken activation increases the chance of sending tokens or document operations to an external service without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents destructive operations such as delete, move, restore, rename, suggestion acceptance, and direct editing, but it does not require explicit user confirmation or present strong warnings before those actions. In a live collaborative workspace with workspace-scoped authority, this increases the risk of accidental data loss, unwanted edits, or broad content changes triggered by misunderstanding or prompt injection.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly states that the agent token grants full workspace access but does not strongly warn that it is a highly sensitive credential equivalent to broad account authority. In a skill designed to trigger on pasted invite URLs, tokens, and document identifiers, this increases the chance that users or downstream agents treat powerful credentials too casually, enabling workspace-wide unauthorized actions if leaked or mishandled.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The examples document a one-shot `accept-all` action for suggestions without warning that it can apply sweeping document-wide changes. In an agent-driven editing context, this increases the risk of accidental mass modification, especially if an agent or user invokes it without reviewing pending suggestions first.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.