Bloom Supporter Identity

Security checks across malware telemetry and agentic risk

Overview

Bloom has a plausible purpose, but it automatically downloads and runs external code that reads chat sessions, creates local configuration, and sets up wallet/network behavior.

Install only if you trust the external GitHub repository and its npm dependencies. Avoid running it on sensitive conversations, review what data is sent to Bloom services, replace the default JWT secret before any dashboard use, and do not deposit funds into the generated wallet until custody, withdrawal, and cleanup behavior are clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (15)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The skill markets itself as a lightweight personality-analysis tool, but the documentation also describes materially broader behavior: reading local session files, contacting external services, creating local configuration, and generating a blockchain wallet. This mismatch undermines informed consent and can cause users to authorize sensitive access they did not reasonably expect from the headline description.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The README documents capabilities such as dashboard token generation, external dashboard configuration, and blockchain network/wallet behavior that extend beyond the stated supporter-personality recommendation scope. This scope mismatch can mislead users and reviewers about what data is processed and what external side effects may occur, undermining informed consent and increasing the chance of overprivileged or unexpected behavior being deployed.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The README claims analysis occurs without needing external APIs, but later documents DASHBOARD_URL, JWT_SECRET, NETWORK, and wallet creation behavior that imply external service and blockchain integration. This discrepancy can cause users or operators to trust the skill as local-only when it may transmit data or trigger external actions, which is a security-relevant form of deceptive documentation.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The text says the user controls whether identity data is shared publicly, but elsewhere states that identity-card data is stored on Bloom Protocol as part of normal operation. That inconsistency can mislead users about when their derived personal data leaves the local environment, creating privacy and consent risk.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: Claiming 'no auth flows' while later documenting JWT-based dashboard authentication is contradictory and may hide trust boundaries from users and reviewers. Misleading authentication claims can cause operators to underestimate token handling, secret management, and account-linking risks.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The wrapper clones a remote GitHub repository and then installs and executes its code at runtime. This creates a supply-chain execution path not evident from the skill’s stated purpose, and any compromise of the repository, dependency tree, or install process would result in arbitrary code execution in the user context.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Running `npm install` and later invoking `npx tsx` gives the skill broad code execution capability that is disproportionate to a personality-analysis/recommendation feature. Package lifecycle scripts and transitive dependencies can execute arbitrary code, making this a serious supply-chain and privilege-abuse risk.

Scope Creep

High

Confidence: 95% confidence
Finding: The script creates directories under the user’s local workspace even though the manifest does not declare file-write behavior. This mismatch increases risk because users may not expect persistent local changes, and it enables the skill to establish a foothold for later code/configuration manipulation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README says the bot analyzes conversations directly from context and that the bot automatically collects current conversation context, but it does not present this as a prominent user warning or consent notice. Because the skill has read:conversations and external network permissions, silent collection and analysis of conversation content is more dangerous: users may expose sensitive chat data without realizing it will be processed by the skill and potentially forwarded onward.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README lists sensitive environment variables including JWT_SECRET alongside dashboard and network configuration, but provides no warning about secure storage, rotation, least-privilege handling, or the consequences of misconfiguration. In a skill with external network and wallet-related behavior, weak credential hygiene can enable token forgery, unauthorized dashboard access, or unsafe use of production blockchain endpoints.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The natural-language triggers are broad and overlap with ordinary conversation, increasing the chance of accidental invocation. Because the skill can read conversation history, contact external services, and create a wallet, unintended activation could expose sensitive derived data or perform actions the user did not mean to initiate.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script silently performs first-run cloning and installation from a remote repository without an explicit confirmation gate. This is dangerous because users are exposed to remote code execution and dependency risks before they can make an informed trust decision.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script writes a `.env` file automatically and seeds it with a default JWT secret. Auto-generating credential-related configuration without strong warnings can lead to insecure defaults being used in production-like contexts and creates sensitive local state unexpectedly.

Unrestricted Tool Access

Medium

Category: Excessive Agency
Content: ## ⚠️ Permissions & Capabilities This skill requires the following permissions: **📖 Read Conversations** - Analyzes your last ~120 messages to understand your interests and supporter type. Raw conversation text stays local; only analysis results are used.
Confidence: 83% confidence
Finding: permissions: *

Excessive Permissions

Low

Category: Privilege Escalation
Content: ## ⚠️ Permissions & Capabilities This skill requires the following permissions: **📖 Read Conversations** - Analyzes your last ~120 messages to understand your interests and supporter type. Raw conversation text stays local; only analysis results are used.
Confidence: 78% confidence
Finding: permissions: *

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal