Back to skill

Security audit

Zentao API Skills(禅道 API 技能)

Security checks across malware telemetry and agentic risk

Overview

This ZenTao skill appears purpose-aligned, but it handles and stores long-lived account tokens in ways users should review before installing.

Install only if you trust this skill with your ZenTao account and project data. Use HTTPS-only ZenTao URLs, prefer a limited-scope or revocable token if ZenTao supports it, restrict ~/.zentao-token.json permissions to your user, and confirm before any write or bulk operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly instructs use of shell commands such as eval, bash, curl, and rm, but no corresponding permission declaration is described. This creates a capability/permission gap where reviewers or runtime policy may underestimate what the skill can execute, increasing the risk of unintended command execution and weakening least-privilege controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose focuses on calling the ZenTao API, but the documented behavior also includes credential collection, login, local token persistence, and reuse from disk/environment. This mismatch is security-relevant because users may not realize the skill stores authentication material locally and handles broader account-auth flows than its top-level description suggests.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation description is broad enough to match many generic project-management requests, which can cause the skill to activate in contexts where the user did not intend external API access or write operations. Because this skill can perform state-changing actions across many modules, overbroad triggering raises the chance of unintended data access or modification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation directs the agent to write ZENTAO_URL, ZENTAO_TOKEN, and ZENTAO_ACCOUNT into ~/.zentao-token.json without a strong warning about sensitive token storage, file permissions, or shared-machine risk. Persisting bearer tokens on disk can expose long-lived access to local users, backup systems, logs, or other processes if the file is not adequately protected.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script persistently stores a long-lived ZenTao API token in ~/.zentao-token.json without setting restrictive permissions or warning the user at runtime. Because the header comment explicitly states the token is permanently valid, any local user, backup system, or malware able to read that file can reuse the token for ongoing authenticated API access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits account credentials to a server endpoint, which is expected for login, but it does so without enforcing HTTPS or validating that the configured URL is secure. In this skill context, ZENTAO_URL is user/config supplied, so credentials could be sent to an attacker-controlled or plaintext HTTP endpoint, exposing the username and password in transit.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.