Back to skill

Security audit

Basecamp CLI

Security checks across malware telemetry and agentic risk

Overview

This Basecamp skill appears purpose-built, but it gives an AI assistant broad power to change or delete Basecamp data and create webhooks to external URLs without built-in confirmation safeguards.

Install only if you trust the publisher and intend to let your assistant operate on real Basecamp data. Use a least-privilege Basecamp OAuth app/account, avoid enabling destructive or webhook tools in unattended workflows, review any webhook URL before creation, and test in a non-production Basecamp project first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill explicitly requires Basecamp OAuth credentials via environment variables and operates as a CLI/MCP server that makes network calls, yet the skill file does not declare permissions or provide a clear trust boundary for those capabilities. In an agent setting, undeclared access to secrets and outbound network use can cause users or orchestrators to grant sensitive credentials without understanding the exposure surface.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This file exposes full webhook lifecycle operations, including creation of arbitrary external callback destinations and triggering test deliveries. In an AI-agent context, that extends the skill from Basecamp project management into outbound integration and data egress, which can be abused to exfiltrate project events or route sensitive metadata to attacker-controlled endpoints.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The functions named deleteTodo and deleteTodolist do not delete the named resource types; they call trashRecording with the supplied IDs instead. This type confusion can cause unintended destructive actions against unrelated recordings if an agent or caller trusts the function names, leading to integrity loss and hard-to-detect data damage.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README prominently documents many destructive and state-changing operations such as delete, archive, trash, move, update, unsubscribe, and webhook management, but it does not warn users or agent integrators about their side effects, required authorization boundaries, or the risk of irreversible project-data changes. In an MCP/AI-assistant context, this increases the chance that an agent will invoke high-impact tools on production Basecamp data without adequate user confirmation or guardrails.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises many state-changing and destructive operations such as delete, archive, trash, move, update, and webhook modification, but it does not warn users that these tools can permanently alter project data. In an AI-driven workflow, this increases the risk of accidental destructive actions from ambiguous prompts, automation mistakes, or user misunderstanding.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This validation script explicitly runs live Basecamp CLI commands against a real account and includes state-changing operations such as creating, completing, and uncompleting todos. Because it does not clearly and prominently warn that execution will modify production account data, a user may run it expecting read-only validation and unintentionally alter real project state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The archive command triggers a destructive state change immediately after parsing the project ID, with no confirmation prompt, dry-run mode, or explicit force flag. In a CLI/MCP context used by agents, this increases the chance of accidental archival from user mistakes, automation bugs, or prompt-induced tool misuse, causing unintended project disruption.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The delete-entry command performs an irreversible delete immediately after parsing IDs, with no confirmation prompt, dry-run, or --force safeguard. In a CLI/MCP context used by automation and AI agents, a mistaken ID, prompt injection, or tool misuse can silently delete Basecamp schedule data, making accidental destructive actions materially more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Webhook creation accepts a user-supplied payload URL and sends it to Basecamp, enabling persistent delivery of Basecamp events to an external endpoint. In an agent setting, this can create silent data egress or unauthorized third-party integrations if callers are not clearly informed and constrained.

Known Vulnerable Dependency: @modelcontextprotocol/sdk==1.25.3 — 1 advisory(ies): CVE-2026-25536 (@modelcontextprotocol/sdk has cross-client data leak via shared server/transport)

High
Category
Supply Chain
Confidence
93% confidence
Finding
@modelcontextprotocol/sdk==1.25.3

Known Vulnerable Dependency: vitest==4.0.18 — 1 advisory(ies): CVE-2026-47429 (When Vitest UI server is listening, arbitrary file can be read and executed)

Critical
Category
Supply Chain
Confidence
90% confidence
Finding
vitest==4.0.18

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/validate.ts:46

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/__tests__/example.test.ts:48

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/__tests__/config.test.ts:16

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/__tests__/mocks/handlers.ts:392

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/__tests__/setup.ts:26

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/lib/auth.ts:182

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/lib/config.ts:131