禅道MCP agent pro

Security checks across malware telemetry and agentic risk

Overview

This ZenTao assistant is coherent for project management, but it asks for password-backed access and gives an agent broad ability to change live work records without clear confirmation safeguards.

Install only after reviewing or pinning the npm package. Use a least-privileged ZenTao account, avoid putting passwords directly in shell commands, and require the assistant to show the exact task, bug, story, iteration, assignee, status, and effort changes before it executes any write action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document presents a reassuring security statement that says the extension will not perform unauthorized risky changes, yet elsewhere explicitly instructs the model to create iterations, assign tasks, log effort, and update task/story/bug states. This mismatch can cause operators or downstream agents to overtrust the skill and approve execution of state-changing actions they would otherwise scrutinize.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documentation instructs users to pass account credentials and a plaintext password directly on the command line. Command-line secrets are commonly exposed through shell history, process listings, logs, screenshots, and telemetry, making credential compromise substantially more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal