Back to skill

Security audit

Shortcut

Security checks across malware telemetry and agentic risk

Overview

This Shortcut skill fits its purpose, but it can delete and change project data with limited safety prompts or scoping.

Install only if you are comfortable giving the agent authority to modify and delete Shortcut workspace data. Use a minimally scoped Shortcut token if available, store it outside repositories, rotate it if exposed, and review delete/update requests carefully before letting the agent run them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents direct shell-script execution and access to local files and environment variables, but it does not declare permissions to reflect those capabilities. This creates a trust and policy-enforcement gap: an agent or reviewer may underestimate that the skill can read local secrets, invoke scripts, and modify local state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The documented behavior understates the full set of destructive and stateful operations, including deleting tasks/comments and initializing local configuration files. That mismatch is dangerous because users or orchestrators may authorize the skill for routine story management without realizing it can delete remote data or write persistent local configuration.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script implements destructive comment deletion, but the declared skill description only mentions comment support generally and does not clearly disclose deletion as a capability. In an agent context, undeclared destructive actions reduce user visibility and can enable unintended or unauthorized data removal when the skill is invoked under incomplete assumptions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to store a live API token in a local file but provides no warning about credential sensitivity, rotation, or avoiding accidental disclosure through backups, logs, or repository commits. While chmod 600 helps, the absence of credential-handling guidance increases the chance of token exposure and unauthorized access to Shortcut data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs an irreversible DELETE request immediately once given IDs, with no confirmation prompt, dry-run mode, or safety interlock. In an agent-driven workflow, incorrect IDs, prompt injection, or operator error could silently remove comments and cause loss of audit trail or project context.

External Transmission

Medium
Category
Data Exfiltration
Content
PAYLOAD="{$(IFS=,; echo "${UPDATES[*]}")}"

# Update story
RESPONSE=$(curl -s -X PUT \
  -H "Content-Type: application/json" \
  -H "Shortcut-Token: $TOKEN" \
  -d "$PAYLOAD" \
Confidence
97% confidence
Finding
curl -s -X PUT \ -H "Content-Type: application/json" \ -H "Shortcut-Token: $TOKEN" \ -d

Session Persistence

Medium
Category
Rogue Agent
Content
## Workflow

1. List existing stories to understand current board state
2. Create new stories with descriptive names and appropriate types
3. Update story status as work progresses

## Notes
Confidence
81% confidence
Finding
Create new stories with descriptive names and appropriate types 3. Update story status as work progresses ## Notes - Scripts use `SHORTCUT_API_TOKEN` environment variable or fall back to `~/.config

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.