Back to skill

Security audit

WORKFOZ

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it claims, but it handles account and payment actions while storing session access in plaintext and includes a questionable CAPTCHA-bypass registration flow.

Review before installing. Use this only if you trust WorkFoz and are comfortable letting the skill perform account, bidding, password, and payment-claim actions. Use a private workspace, avoid putting real passwords or wallet addresses in shared logs or transcripts, never commit .session.json, remove that file when finished, and treat the CAPTCHA test value as something the publisher should fix or clearly limit to non-production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The registration flow hardcodes a fake reCAPTCHA value ('test') while the adjacent comment acknowledges reCAPTCHA is required in production. If the backend accepts or is configured to tolerate this value, the CLI enables automated account creation and abuse of the registration endpoint, undermining an anti-bot control.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill states that login 'saves your session locally' but does not clearly warn that authentication material will persist on disk, where it may be recovered by other local users, later tasks, or from logs/backups in a shared or ephemeral agent environment. In an autonomous agent setting, undocumented credential persistence increases the risk of unintended account reuse or session theft.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The claim-payment workflow instructs the agent to submit wallet addresses and payout details but provides no warning that this is sensitive financial information. In practice, these values can expose payment destinations, facilitate fraud if misdirected, and may be captured in shell history, logs, transcripts, or shared execution environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Session data is persisted to a local .session.json file in the script directory, which can include bearer tokens and later cookies. Storing authentication material in plaintext without permission checks or clear user disclosure increases the risk of credential theft by other local users, malware, backups, or accidental source-control inclusion.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code automatically captures Set-Cookie headers from server responses and saves them locally for reuse, extending plaintext persistence to session cookies as well as tokens. Cookies can carry active authenticated sessions, so local disclosure or theft may enable account takeover or replay of authenticated requests.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.potential_exfiltration

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
portal-cli.js:17