Back to skill

Security audit

Robot Id Card

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real bot-identity toolkit, but it needs review because it stores signing keys, broadcasts identity headers broadly, and has incomplete security controls in its trust model.

Install only if you are comfortable with a beta bot-identity system that handles private signing keys. Avoid loading the browser extension into a normal browsing profile unless identity headers should be sent broadly; prefer a dedicated bot profile or domain-scoped fork. For deployment, set a unique RIC_ADMIN_KEY, do not rely on the default, and do not treat registry-issued certificate signatures as production-grade until real registry signing and stricter key validation are implemented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The extension requests host access to <all_urls>, allowing its background service worker to potentially observe or affect traffic across every site the user visits. For a bot identity/certificate extension, that scope is broader than necessary and increases the blast radius of any bug, abuse, or future malicious update, especially because the skill’s purpose is to attach identity material to web requests.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The code explicitly claims RFC 9421-style signing while generating a signature over a wildcard `@authority` that cannot match the actual destination host. This creates a dangerous trust ambiguity: relying parties may incorrectly treat the headers as meaningful authentication and, as the comment suggests, may be tempted to skip authority verification, weakening the security model and enabling misuse of a bot identity across unrelated sites.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The popup explicitly asks the user to paste a JSON file containing `private_key_hex` and then forwards that private key to extension storage via `SAVE_CONFIG`. In a browser extension context, persisting long-lived signing keys materially increases the blast radius of any storage compromise, extension bug, or unintended exposure, especially because this project is identity/authentication focused and the key appears sufficient to impersonate the bot.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The permission logic directly converts certificate-embedded grade and self-declared capabilities into access levels up to 'Direct chat'. If an attacker can obtain, forge, replay, or otherwise inject a certificate object that passes schema validation but has not been strongly verified in context, downstream consumers may grant content-interaction permissions based on identity metadata alone, creating an authorization-trust boundary weakness.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The registration route issues a fake placeholder value (`registry_sig_${nanoid(32)}`) instead of a real registry-generated Ed25519 signature, despite presenting the result as a certificate. In a system whose core trust model is cryptographic identity and RFC-aligned signed artifacts, unsigned or falsely 'signed' certificates can mislead relying parties, break verification guarantees, and allow untrusted identities to appear legitimate if downstream consumers do not strictly validate signature semantics.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The code comments and error messaging imply Ed25519 key validation, but the implementation only checks prefix, hex characters, and length; it does not verify that the 32-byte value is actually a valid Ed25519 public key point. In an identity registry, accepting malformed or non-usable keys can create un-verifiable identities, denial of service in downstream cryptographic operations, or trust confusion when certificates are issued for keys that cannot participate in the promised authentication flow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The deployment guide shows a concrete default admin secret value (`dev-admin-key-change-me`) for a credential that controls manual grade updates. Even though it is labeled as required for production, publishing a plausible fallback without a strong 'must never be used' warning increases the chance that operators deploy with the default or fail open, enabling unauthorized administrative actions if the value is guessed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The extension reads and uses a raw Ed25519 private key from `chrome.storage.local`, implying it is persisted there as plaintext extension state. Storing long-lived private key material in general local storage increases the blast radius of extension compromise, local profile theft, debugging exposure, or unintended access by other extension components, leading to identity theft and unauthorized signing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The dynamic rule applies identity headers to essentially all HTTPS `main_frame`, `sub_frame`, and `xmlhttprequest` traffic via `urlFilter: '|https://'`. This broadly leaks a stable bot identifier and signed metadata to every visited site, enabling cross-site tracking, unintended authentication attempts, and exposure of trust signals to untrusted origins; in this skill's context, universal bot identity makes such indiscriminate disclosure more dangerous, not less.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Saving configuration immediately persists sensitive credential material and activates global outbound header injection without confirmation, review, or visible disclosure in this background logic. A malicious or compromised extension UI component could silently enable persistent identity leakage and signing behavior, and even benign users may not understand that all HTTPS traffic will start carrying authentication-related headers.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The import UX solicits highly sensitive credential material (`bot.ric.json` with `private_key_hex`) without any warning, trust boundary explanation, or guidance on secure handling. In an authentication/identity extension, that normalizes unsafe secret handling and increases the chance users expose or mishandle signing keys that could later be abused for impersonation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code uses a hardcoded fallback admin secret (`dev-admin-key-change-me`) when `RIC_ADMIN_KEY` is unset, which can allow anyone who knows or guesses the default value to invoke the privileged `/grade` endpoint. In a public bot identity and trust registry, this could let an attacker arbitrarily change bot grades, undermine trust decisions, and manipulate the audit ecosystem.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The JSON response discloses cert.developer.email to any caller of the certificate endpoint, which can expose personally identifiable information and enable scraping, phishing, or correlation of bot identities with real individuals. In this skill's context, the registry is intended to be public-facing and trust-establishing, which makes bulk harvesting of developer emails more likely and increases privacy risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The route returns an award object built with `developer: cert.developer.email`, disclosing the developer’s email address to any caller who can successfully submit a claim for that bot ID. This is unnecessary exposure of personal/contact information and can enable scraping, spam, targeted phishing, or correlation of bot identities across services. In this identity/registry context with public audit and certificate features, the leakage is more concerning because responses may be consumed broadly and treated as authoritative metadata.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
packages/cli/src/index.ts:22