Security audit

Eyun Watch

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed freight price-watch integration that creates watch tasks and sends recurring rate notifications, with some operational privacy and cron-permission cautions.

Before installing, confirm the Eyun server URL and company ID are trusted and correct, and ensure the configured channel/to destination is approved for freight-rate data. Review the eyun-watch-poll cron after setup and remove it if recurring polling or external chat delivery is not desired.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The README explicitly instructs operators to grant the cron workflow the generic `exec` tool so the agent can run shell commands, even though the stated business need is only to poll one fixed HTTP endpoint. Giving a scheduled agent shell capability broadens the attack surface significantly: prompt injection, misconfiguration, or future message changes could lead to arbitrary command execution rather than a constrained API call.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill does more than its manifest and user-facing description suggest: it provisions a persistent background cron job that continues polling and sending notifications after the chat flow. This is a real security/transparency issue because it expands the skill's operational scope and creates ongoing actions outside the immediate user request without prominently disclosing that behavior up front.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill reads broad runtime configuration including notification routing fields like channel and recipient target, which goes beyond simply creating a watch task. Access to these values enables the skill to direct messages to destinations the user may not see or control, increasing the risk of unintended disclosure or misuse of messaging infrastructure.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The cron workflow pulls watch results and automatically forwards summaries to Telegram, but the README provides no warning about data sensitivity, recipient validation, retention, or third-party disclosure. Freight quotes, routes, carriers, ETD, and company-scoped results may be commercially sensitive, so unattended delivery to an external chat platform can leak business information if the chat ID is wrong, compromised, or insufficiently controlled.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill omits a clear user warning that it will establish a recurring background poller and continue sending notifications after the conversation ends. This is dangerous because users may believe they are creating a one-time watch request, while the skill is actually enabling persistent automation with continued external calls and outbound messaging.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal