GroupMe CLI

Security checks across malware telemetry and agentic risk

Overview

This skill coherently wraps a GroupMe command-line tool and its sensitive behaviors are expected for sending and reading messages.

Before installing, review the linked GitHub repository and package scripts because the setup runs npm commands from source. Treat GROUPME_TOKEN as a secret, prefer protected environment or config storage over command-line arguments, and avoid sending sensitive personal or internal information through GroupMe messages or DMs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly supports sending GroupMe messages and DMs to an external service, but it does not clearly warn that user-provided content will leave the local environment and be transmitted to third-party infrastructure. In an agent setting, that omission can cause users to unknowingly disclose sensitive text, especially when the skill is invoked for automation or scripting.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The authentication section instructs users to supply a GroupMe access token via command line, config, or environment variable without emphasizing that this token is a sensitive credential. This increases the risk of accidental exposure through shell history, logs, screenshots, shared config files, or unsafe environment handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal