Security audit

Zentao API Skills（禅道 API 技能）

Security checks across malware telemetry and agentic risk

Overview

This ZenTao skill appears purpose-aligned, but it handles and stores long-lived account tokens in ways users should review before installing.

Install only if you trust this skill with your ZenTao account and project data. Use HTTPS-only ZenTao URLs, prefer a limited-scope or revocable token if ZenTao supports it, restrict ~/.zentao-token.json permissions to your user, and confirm before any write or bulk operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill explicitly instructs use of shell commands such as eval, bash, curl, and rm, but no corresponding permission declaration is described. This creates a capability/permission gap where reviewers or runtime policy may underestimate what the skill can execute, increasing the risk of unintended command execution and weakening least-privilege controls.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The declared purpose focuses on calling the ZenTao API, but the documented behavior also includes credential collection, login, local token persistence, and reuse from disk/environment. This mismatch is security-relevant because users may not realize the skill stores authentication material locally and handles broader account-auth flows than its top-level description suggests.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The invocation description is broad enough to match many generic project-management requests, which can cause the skill to activate in contexts where the user did not intend external API access or write operations. Because this skill can perform state-changing actions across many modules, overbroad triggering raises the chance of unintended data access or modification.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation directs the agent to write ZENTAO_URL, ZENTAO_TOKEN, and ZENTAO_ACCOUNT into ~/.zentao-token.json without a strong warning about sensitive token storage, file permissions, or shared-machine risk. Persisting bearer tokens on disk can expose long-lived access to local users, backup systems, logs, or other processes if the file is not adequately protected.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script persistently stores a long-lived ZenTao API token in ~/.zentao-token.json without setting restrictive permissions or warning the user at runtime. Because the header comment explicitly states the token is permanently valid, any local user, backup system, or malware able to read that file can reuse the token for ongoing authenticated API access.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script transmits account credentials to a server endpoint, which is expected for login, but it does so without enforcing HTTPS or validating that the configured URL is secure. In this skill context, ZENTAO_URL is user/config supplied, so credentials could be sent to an attacker-controlled or plaintext HTTP endpoint, exposing the username and password in transit.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.