Security audit

Appflowy Skill

Security checks across malware telemetry and agentic risk

Overview

This AppFlowy automation skill matches its stated purpose, but it can directly modify or delete live workspace content using user credentials without strong safety prompts.

Review before installing if you plan to run it against real AppFlowy data. Use a test workspace first, back up important documents, verify workspace/view/database IDs carefully, avoid putting passwords directly on the command line, prefer short-lived tokens or least-privilege accounts, and treat update-user-management-doc/apply-grid/collab operations as live data-changing commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The script is not limited to API client debugging: it deletes document blocks, removes headings/sections, creates or rebuilds database views, deletes default rows, and seeds synthetic planning data. In a skill advertised for authentication/API usage and troubleshooting, this broad write/destructive behavior creates a real risk of unintended data loss or unauthorized content tampering if a user runs it against a live workspace.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to authenticate with email/password and run scripts that can create or modify remote AppFlowy documents and grids, but it does not prominently warn about credential handling, token sensitivity, or the risk of altering production data. In practice, this increases the chance of accidental secret exposure or unintended destructive changes by operators or automation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README provides ready-to-run commands that require user email/password and perform remote document-modifying operations against an AppFlowy workspace, but it gives no warning about credential handling, target-environment safety, or the fact that the commands will change live remote content. In a skill specifically designed for API automation and debugging, this increases the chance of accidental misuse, credential exposure via shell history/process lists, or unintended modification of production data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The main execution path performs immediate in-place deletions and database/grid modifications without any interactive confirmation, preview, or safety interlock. Because the script authenticates with user-supplied credentials/token and targets arbitrary workspace/view IDs, a mistaken invocation can destroy or overwrite production content at scale with no last-chance warning.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal