beepctl

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Beeper messaging CLI helper, but it should be used carefully because it can access chats, handle tokens, and send messages.

Install only if you trust the external beepctl npm/GitHub project and are comfortable letting an agent work with Beeper-connected conversations. Do not expose API tokens in logs or transcripts, verify aliases resolve to the intended chat, and require explicit confirmation before any send or other account-changing action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Documenting `auth show` and `auth set <token>` without an accompanying warning about credential sensitivity can lead users or downstream agents to print, paste, or log API tokens in plaintext. Exposure of a Beeper API token could allow unauthorized access to messages, account metadata, and messaging actions across connected platforms.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal