Security audit

以轻松聊天的方式带用户上手禅道（ZenTao）与 zentao-cli，让用户顺着自己的角色（产品经理/项目经理/测试/开发/高管）在真实禅道环境里边聊边动手，熟悉产品、需求、计划、任务、Bug、测试用例等模块的增删改查与状态流转。

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ZenTao onboarding skill that can change real ZenTao project data only as part of its stated guided tour purpose.

Install only if you want an interactive ZenTao tour that may run zentao-cli against your configured ZenTao account. Use a sandbox or low-risk project for practice, prefer tokens over passwords, protect the local zentao-cli config file, and approve write or delete actions only when you are comfortable changing real ZenTao data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (8)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill description uses very broad trigger conditions such as when a user is new to ZenTao, wants to learn what it can do, or asks for a tour. In an agent environment, this can cause over-activation on ordinary help/onboarding requests and lead the agent into a workflow that performs environment checks and potentially real ZenTao actions in a live tenant without sufficiently narrow scoping.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The skill content is written to conduct the interaction in Chinese without offering a language choice. That can cause user misunderstanding around consent, especially because the skill includes login checks and write-capable ZenTao operations; if the user is not comfortable in Chinese, they may approve actions they do not fully understand.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document instructs users to authenticate with a username and password and states that credentials are cached locally in ~/.config/zentao/zentao.json, but it does not warn about local secret exposure, file permissions, shell history leakage, or the safer preference for tokens over passwords. In a security-sensitive onboarding flow, this omission can lead users to store long-lived credentials insecurely or paste secrets into shared terminals, increasing the risk of credential theft and unauthorized access to the ZenTao instance.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This section instructs the agent to claim an unassigned task by updating `assignedTo`, which mutates real project records, but it does not clearly warn that the action changes shared system state. In a live ZenTao environment, a user following the tour could unintentionally take ownership of actual work items and disrupt team workflow.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: These instructions tell the agent to update estimates, start tasks, and finish tasks with consumed hours, all of which alter official workflow state and effort tracking. Without a prominent warning and confirmation step, the skill encourages operational changes that can corrupt project metrics, status boards, and reporting in a real environment.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Resolving a bug sets its official resolution state, which is a significant workflow action affecting triage, reporting, and downstream testing. The skill presents this as a casual demo step without warning that it updates authoritative defect records, creating a risk of accidental closure or misclassification of real bugs.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to create real ZenTao objects (projects, sprints, and later tasks) directly in the user's environment without requiring an explicit warning, confirmation boundary, or recommendation to use demo data first. In a live project-management system, these writes can pollute production data, trigger notifications or workflow side effects, and mislead users into performing irreversible actions during what is framed as a casual tour.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the agent to run real `zentao` write commands that create products, stories, and plans, but it does not require a clear warning or confirmation that these actions will modify a live ZenTao instance. In an interactive tour context, users may believe they are in a guided demo and unintentionally create or alter production project data, especially because the narrative encourages seamless progression rather than explicit safety checkpoints.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal