Back to skill

Security audit

Coze Cli

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Coze CLI helper skill, but users should treat deployments, environment changes, and file uploads as sensitive actions.

Install only if you trust the Coze CLI package and want an agent to help operate Coze projects. Confirm the target organization, space, project, and environment before deploy/delete/env/config commands, and do not pipe logs or upload files that may contain secrets, personal data, or proprietary content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase definition is broad enough to activate on generic mentions of 'coze' or any coze command execution, which can cause the skill to run in contexts where the user did not intend operational actions. Because this skill can authenticate, switch orgs/spaces, deploy projects, and send data to remote services, accidental invocation materially increases the chance of unintended side effects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises capabilities including deployment, environment management, and message sending to remote projects without warning about operational, privacy, or cost impact. In an agent skill, omission of these warnings can normalize high-impact actions and lead users or downstream agents to perform destructive or data-transferring operations without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples explicitly show local files and logs being piped into `coze code message send`, which encourages transmitting local content to a remote service without any privacy or secret-handling warning. Logs and source files frequently contain tokens, personal data, internal URLs, and stack traces, so this pattern creates a realistic exfiltration path.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes setting and deleting environment variables without explaining that these actions can alter application behavior, break deployments, or remove critical secrets. In an automated agent context, missing warnings makes destructive configuration changes more likely and harder to attribute before harm occurs.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase is very broad: it activates on any mention of "coze" or any Coze command execution, which can cause the skill to run in situations where the user did not intend to authorize terminal actions. In a skill that can deploy projects, change org/space context, and send data to remote services, accidental invocation meaningfully increases the chance of unintended state-changing or data-transferring actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This section documents state-changing and potentially sensitive operations such as deploys, environment variable management, config changes, and non-interactive CI/CD execution, but it provides no warning about operational impact or consent requirements. In practice, an agent using this skill could mutate production configuration, target the wrong org/space/project, or expose secrets through verbose/debug output without an explicit user checkpoint.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
This skill is specifically designed to drive an external CLI, and the upload command sends a local file off-host to a remote service. Without any warning about external transmission, users may unintentionally exfiltrate sensitive local data such as source code, credentials, or private documents through agent-assisted command execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.