Vitavault

Security checks across malware telemetry and agentic risk

Overview

This skill is a real health-data sync integration, but it asks the agent to publish and persist a health-data webhook with limited user confirmation and includes a remote API query script that conflicts with local-only claims.

Install only if you are comfortable with an agent creating a public HTTPS endpoint for health data and keeping a webhook running in the background. Before use, require explicit approval for tunnel setup and persistence, set a strong VITAVAULT_SYNC_TOKEN, avoid unauthenticated webhook runs, and review scripts/query.py because it uses a remote API endpoint despite local-only privacy language.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill instructs the agent to generate tokens, write files, launch a network listener, and expose it publicly, yet it declares no permissions or equivalent user-facing authorization boundaries. That mismatch hides sensitive capabilities from operators and increases the chance the agent will perform risky filesystem and network actions without informed consent, especially given the health-data context.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented behavior goes beyond a simple app integration by also describing local data import/storage, summary generation, persistent webhook operation, and possible remote API interaction via environment variables. When a skill understates its real behavior, users and reviewers cannot accurately assess the privacy and attack surface, which is particularly risky for medical and health-related data.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The setup directs the agent to create and enable a system-wide service with sudo, causing persistent execution beyond the immediate user request. This materially expands the blast radius: if the webhook or configuration is flawed, the host will continue accepting health-data traffic after reboot and with elevated installation actions that exceed least privilege.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The file explicitly describes authentication as optional, and the implementation binds to 0.0.0.0 with no token required by default, creating an unauthenticated network listener that accepts and stores arbitrary POSTed data. In the context of health-data ingestion, this is especially risky because anyone who can reach the port can inject fake medical data, fill disk space, or abuse the service as an exposed intake endpoint.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The activation trigger is broad and tells the agent to perform multi-step infrastructure setup automatically whenever the user says to set up VitaVault. Because the trigger lacks scope constraints and confirmation checkpoints, it increases the risk of unintended execution of token creation, service launch, and internet exposure from a casual or ambiguous request.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The instructions tell the agent it MUST expose the webhook over HTTPS but do not require a clear warning that this publishes a health-data ingestion endpoint to the internet. Exposing a medical-data receiver without an explicit privacy and threat warning is dangerous because users may not understand that sensitive data will traverse public infrastructure such as tunnels or reverse proxies.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ## Agent Setup Guide (DO THIS WHEN USER SAYS "set up VitaVault") When your user asks to set up VitaVault sync, follow these steps automatically. Don't ask the user to do the technical parts - handle it yourself and hand them the URL + token at the end. ### Step 1: Generate a sync token
Confidence: 93% confidence
Finding: Don't ask the user

Session Persistence

Medium

Category: Rogue Agent
Content: # Adjust paths and token, then: sudo cp /tmp/vitavault-webhook.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable --now vitavault-webhook ``` ## Querying Health Data
Confidence: 94% confidence
Finding: systemctl enable

Session Persistence

Medium

Category: Rogue Agent
Content: ### Step 2: Start the webhook ```bash VITAVAULT_SYNC_TOKEN="$TOKEN" nohup python3 scripts/webhook.py --host 0.0.0.0 --port 8787 > /tmp/vitavault-webhook.log 2>&1 & ``` The webhook listens for health data POSTs and saves snapshots to `~/vitavault/data/`.
Confidence: 88% confidence
Finding: nohup

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal