Security audit

Vikunja

Security checks across malware telemetry and agentic risk

Overview

This Vikunja skill is purpose-aligned overall, but it exposes reusable authentication tokens and can delete task/project data without enough safeguards.

Review before installing. Use it only with a Vikunja server you trust, avoid logging or sharing the token printed by login, restrict permissions on any config or token file, and require explicit confirmation before deletes or bulk changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documents and encourages use of network access, environment variables, file reads, and file writes, but declares no permissions. That mismatch hides the true capability surface from the platform and users, making credential access, outbound requests, and local log/config handling less auditable and easier to misuse.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill exposes a login subcommand that prints the raw Vikunja bearer token to stdout, even though the skill's stated purpose is task management rather than credential retrieval. In an agent environment, stdout is often logged, surfaced to the user, or consumed by other tools, so this creates an unnecessary secret-disclosure path.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Printing a reusable bearer token to stdout discloses live authentication material that can be copied and replayed to access the user's Vikunja account. This is especially dangerous in agent systems because outputs may be retained in transcripts, logs, telemetry, or shown back to less-trusted callers.

Vague Triggers

High

Confidence: 92% confidence
Finding: The trigger phrases include very common terms such as 'task', 'project', 'schedule', 'reminder', and 'label', which can cause the skill to activate for unrelated everyday requests. Because this skill can perform authenticated API actions against a task system, overbroad invocation increases the chance of unintended writes, updates, or deletions.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill exposes direct delete commands for tasks and projects without any guidance to confirm user intent, preview targets, or warn about irreversible effects. In an agent setting, this materially increases the risk of accidental or prompt-induced destructive actions against the user's task data.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The command emits the auth token directly with no warning, redaction, or interactive confirmation. That makes accidental credential exposure likely during normal use, especially when command outputs are copied, logged, or displayed by automation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal