Back to skill

Security audit

Pndr

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Pndr productivity integration, but installing it can let an AI assistant read, change, download, and delete data in your Pndr account.

Install this only if you are comfortable giving an AI assistant access to your Pndr account. Prefer a dedicated, revocable token, keep the client secret and bearer token out of chats, screenshots, and shared config files, and require confirmation before delete, archive, bulk edit, or attachment download actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises many write and delete capabilities such as deleting ideas, thoughts, lists, packages, tags, comments, and checklist items, but it does not clearly warn users that the integration can perform destructive operations on personal data. In an agentic context, missing disclosure increases the chance that a user authorizes the skill without understanding that natural-language requests or agent mistakes could permanently modify or remove data.

Credential Access

High
Category
Privilege Escalation
Content
## Authentication

Pndr uses OAuth 2.0 client credentials flow. Access tokens expire after 1 year (365 days).

To refresh your token, repeat the `curl` command from step 2 and update your mcporter config with the new Bearer token.
Confidence
90% confidence
Finding
Access tokens

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.