Back to skill

Security audit

ShareOne File Publisher & Short Links

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for ShareOne publishing, downloading, and comment handling, but its credential handling and silent owner-download behavior need Review.

Install only if you are comfortable giving this skill a ShareOne API key that can publish, download, edit settings, and process comments. Prefer a managed secret store over local fallback storage, avoid pasting long-lived keys into chat when possible, and be aware that downloads may use owner privileges and bypass public share restrictions when a saved key is available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script prints the resolved ShareOne API key directly to stdout in both direct-fallback and local modes. Secrets written to stdout are commonly captured by logs, parent processes, CI systems, terminal history tooling, or other components, turning a credential check into credential disclosure; this behavior is not necessary for the skill’s publishing/downloading purpose.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The workflow explicitly instructs the agent to attempt an owner-authenticated download first and notes that this bypasses access passwords and the `allow_download` restriction. That expands the operation from 'download a shared file' into privileged retrieval that can defeat the share's intended access controls, creating a real risk of unauthorized data access if the agent has stored owner credentials.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The error-handling guidance tells the agent to report that download is not allowed and ask the owner to enable it, even though earlier text says owner download bypasses `allow_download`. This inconsistency can mask privileged behavior, confuse operators about what access path was used, and lead to unsafe handling of restricted content without transparent user consent.

Missing User Warnings

High
Confidence
99% confidence
Finding
When a key is present, the code emits it verbatim via console.log, exposing credentials without redaction or warning. In the context of a skill that handles remote document publishing and retrieval, compromise of the API key could allow unauthorized access to ShareOne resources, uploads, downloads, or account-scoped actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script logs the newly created guest API key directly to stdout via `GUEST_KEY_CREATED:${result.api_key}`. Secrets printed to console are commonly captured by terminal scrollback, logs, CI output, agent transcripts, or other telemetry, which can expose the key to unintended parties and enable unauthorized use of the ShareOne account or guest capability.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
On fallback, the code saves the guest API key to local storage with `saveLocalApiKey(result.api_key)` when proxy persistence fails or is unavailable. Persisting credentials locally without clear disclosure, scope limitation, or visible consent increases the chance of secret exposure through local filesystem compromise, backups, or reuse beyond the user's expectation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When saving to the proxy-backed credential store fails, the code silently falls back to saving the ShareOne API key locally. Although it emits a status message, it does not clearly warn about the security implications of local credential persistence or require explicit user consent, which can expose the key to other local users, backups, or insecure filesystem handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
In the primary non-proxy path, the script persists the API key locally and only prints a generic success message, with no disclosure that a sensitive credential is being stored on disk. In a skill that publishes and modifies ShareOne content, compromise of this key could enable unauthorized publishing, downloads, or comment access under the user's account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persists the ShareOne API key in a local file under the skill directory without setting restrictive file permissions or warning the caller that a long-lived secret will be written to disk. In an agent/skill environment, local workspace files may be readable by other processes, packed into logs or artifacts, or unintentionally shared, which can lead to credential theft and unauthorized access to the ShareOne account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script uploads a local file to a remote ShareOne service and even supports overriding the destination via --base-url, but it provides no explicit user-facing warning, confirmation, or dry-run disclosure at the point of transmission. In an agent skill whose purpose is to publish local files, this increases the risk of accidental exfiltration of sensitive local content, especially if arguments are constructed indirectly by another component or a user does not realize that execution causes immediate network upload.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly requires an owner API key and instructs the agent to perform authenticated status changes, downloads, content updates, replies, dismissals, and settings changes against a live ShareOne share, but it does not clearly foreground that these commands will modify remote production data. In a skill that may be triggered by a user's request to 'process comments' or 'modify this ShareOne link,' this omission increases the risk of unintended remote changes if the operator or upstream agent misinterprets scope or target.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that owner download bypasses public restrictions but does not frame this as a privileged, potentially sensitive action requiring explicit authorization. In this skill context, that omission is dangerous because the skill is meant for routine downloading of shared links, so silently escalating to owner access can defeat the platform's security model and expose files users should not be able to fetch.

Ssd 3

Medium
Confidence
98% confidence
Finding
The script instructs the agent to ask the user to reply with their API key directly in chat and then save it. Collecting long-lived credentials through normal conversation channels is dangerous because the key can be exposed in chat logs, model traces, debugging systems, transcripts, or downstream tools handling the conversation.

Ssd 3

Medium
Confidence
99% confidence
Finding
This fallback path explicitly asks users to provide an API key for local storage, increasing risk because the key is both transmitted in plaintext and then persisted outside a managed secret store. In the context of a file-sharing skill, compromise of the API key could permit unauthorized publishing, downloading, editing, or comment access on ShareOne resources.

Ssd 3

Medium
Confidence
98% confidence
Finding
The direct-mode prompt asks the user to send their API key in plaintext, which is an unsafe credential-handling pattern regardless of whether the key is stored locally or in a secret store afterward. Because this skill manages public sharing links and file operations, a leaked key could enable account misuse, data exposure, or unauthorized content changes.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.secret_argv_exposure

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/publish.js:113

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
workflows/download-file.md:29

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
workflows/publish-binary-file.md:31

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
workflows/publish-text-page.md:47

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
workflows/update-share-settings.md:31