Back to skill

Security audit

Salesforce AI Agentforce Testing

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Salesforce Agentforce testing skill, but it needs Review because it can use OAuth credentials to run live org actions, create tests, drive fix/re-publish workflows, and includes unsafe auth-bypass testing guidance.

Install only if you intend to let the skill access a Salesforce org for Agentforce testing. Prefer sandbox or test orgs, least-privilege ECA credentials, simulated actions by default, and human review before any fix loop publishes or re-publishes an agent. Avoid passing secrets on the command line, treat transcripts/traces/results as sensitive, and do not rely on injected boolean auth variables as proof that protected flows are correctly secured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (37)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises an automatic fix loop that can modify, re-validate, and re-publish an agent, but it does not clearly warn users that invoking the workflow may change live agent configuration. In a testing skill, hidden state-changing behavior is risky because users may expect analysis-only or test-only operations and inadvertently trigger production-affecting updates.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Agentic Test-Fix Loop section describes analyzing failures, generating fixes, re-validating, and re-publishing the agent without a prominent caution that this workflow changes deployed behavior. Because this skill targets testing workflows, omitting a clear mutation warning makes the capability more dangerous: a user seeking diagnostics could unintentionally authorize automated edits and publication of a broken or unsafe agent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill enables implicit invocation while its trigger description is relatively broad, which can cause the skill to activate in conversations that only loosely relate to Agentforce testing. That increases the chance the wrong skill handles user input, leading to incorrect actions, confused routing, or unintended access to capabilities the user did not mean to invoke.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The comments explicitly instruct users that custom boolean auth-state context variables can be injected to bypass authentication and access post-auth business topics directly during testing. Even if framed as test guidance, this normalizes and operationalizes auth bypass patterns that can cause teams to validate protected flows without real authentication controls, masking authorization defects and encouraging insecure test practices.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The escalation criteria are intentionally broad and heavily biased toward triggering handoff for frustration, emotional tone, or loosely defined complexity signals, but the template includes very few counterbalancing boundary cases. In a testing skill, this can normalize over-escalation behavior, causing agents to route users to humans unnecessarily, which can be abused to bypass automated controls, increase operational load, or distort test outcomes so weak routing logic appears acceptable.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The test suite includes broad, natural-language user prompts such as account help, order status, balances, and support requests without clear scoping to sandbox data, mock backends, or non-production identities. In an agent-testing skill that may execute against live Agent Runtime APIs, these generic prompts can cause tests to access, mutate, or escalate real customer records and operational workflows if the adapted suite is run in an unsafe environment.

Missing User Warnings

Low
Confidence
80% confidence
Finding
Live mode queries a connected Salesforce org and emits discovered metadata to stdout without an explicit user-facing warning or consent check at the operation point. In a skill context, this can lead to unintended disclosure of org structure, agent names, descriptions, and related metadata into logs, downstream tools, or chat-visible output.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This script accepts OAuth consumer credentials directly via command-line arguments, which can expose secrets through shell history, process listings, CI job logs, and telemetry. In a testing utility that is likely to be run manually and in automation, this materially increases the chance of credential disclosure even though the code does not itself exfiltrate them.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example explicitly instructs users to source a local credentials.env file that contains ECA secrets, which normalizes reading long-lived credentials from disk in a general-purpose shell script. In a testing skill, this is dangerous because shell environments, process history, accidental logging, and weak filesystem permissions can expose those secrets and enable unauthorized API access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document explicitly promotes an automated loop that analyzes failures, generates fixes, republishes agents, and may create test data, but it does not require confirmation gates, dry-run behavior, or prominent warnings that these steps modify agent definitions and org state. In an agent skill context, that omission is risky because users may invoke workflows expecting analysis only while the skill can drive code/configuration changes and data creation across delegated skills.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation shows passing `--consumer-key` and `--consumer-secret` directly on the command line, which can expose secrets through shell history, CI logs, crash reports, and process listings visible to other users on the same system. Because this skill is specifically about automated testing of Agentforce agents, readers are likely to copy-paste these examples into local machines or shared build environments, increasing the chance of credential leakage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly encourages use of `--verbose` output that includes raw agent responses, action inputs/outputs, and session IDs, but it does not pair that guidance with any warning that these artifacts may contain sensitive business data, identifiers, or personal information. In a testing skill, users are especially likely to capture real org data, so normalizing verbose logging without retention/redaction guidance creates a genuine data exposure risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The `sf agent preview --use-live-actions` guidance tells users how to execute real Flows/Apex but does not clearly warn that this can mutate org data, trigger integrations, send messages, or invoke downstream systems. Because this is presented as a normal debugging workflow, users may run it in production-like orgs without understanding the side effects, making the omission security-relevant.

Missing User Warnings

High
Confidence
96% confidence
Finding
The programmatic preview section is aimed at CI/CD and automation, and it states that published-agent sessions use live actions, but it lacks a strong warning that automated test runs may execute real side-effecting operations at scale. In automation contexts, this is more dangerous because commands can be repeated unattended, amplifying data modification and external-system impact.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation explicitly states that custom boolean auth-state variables can be injected as true to bypass authentication flows and reach post-auth business topics directly. Even though this is framed as a testing shortcut, it normalizes and operationalizes an authentication bypass technique without strong guardrails, which can lead users to validate sensitive flows under unrealistic trust assumptions or reuse the pattern outside tightly controlled test contexts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples explicitly promote `--use-live-actions` and saving transcripts/debug logs, but they do not warn that live preview can execute real Flows/Apex against production-like systems or that output files may capture sensitive business data, identifiers, and debug information. In an agent-testing skill, users are likely to copy-paste these commands during validation, so the omission increases the chance of unintended state changes or sensitive data exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The protocol instructs the agent to source a local credentials.env file directly into the shell environment before running the test runner. This can expose sensitive org credentials to the invoked process and any child processes, and the file provides no warning, scoping controls, or guidance on safe handling of those secrets. In an agent skill context, embedding this as a mandatory execution step makes accidental secret exposure more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow directs the agent to automatically run commands that inspect local configuration, query org metadata, and test CLI access without first requiring explicit user consent. In an agent context, this can cause unintended access to local files and remote org data, surprising the user and violating least-astonishment and consent expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The deploy-and-run phase instructs the agent to save files locally and create and execute test suites against the target org without a prominent, explicit warning about those side effects. That can lead to unintended filesystem writes and changes or load in the connected Salesforce org, especially if the user thinks they are only reviewing or generating a plan.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to pass a consumer key and consumer secret directly on the command line without warning that these are sensitive credentials. Command-line secrets can be exposed through shell history, process listings, CI logs, and terminal recording, increasing the risk of credential disclosure and unauthorized access to the Agent Runtime API.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The connectivity test documentation tells users the script reads Salesforce API credentials from environment variables but does not include any guidance on secure handling. While environment variables are better than CLI flags, they can still leak via shell history, debug output, inherited subprocess environments, or misconfigured CI systems, so the omission creates a real credential-handling risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The worker prompt explicitly instructs agents to load credentials from a local credential file and use them during execution, but provides no user-facing guardrails, consent step, or restrictions on how those secrets may appear in downstream outputs. In a multi-agent setting, this increases the chance that credentials or credential-derived data are mishandled, logged, or propagated beyond the minimum required scope.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The documentation explicitly says the user can just say "re-run" and the skill should pick up the saved plan, which creates an overly broad natural-language trigger. Because "re-run" is common conversational language, this can cause unintended invocation of the skill and reuse of a prior test plan, potentially executing tests with stored credentials or stale configuration without sufficient confirmation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This documentation explicitly teaches users how to extract and inspect highly sensitive trace contents, including full LLM prompts, conversation history, variable values, action inputs/outputs, and exported analysis, but provides no warning about secrets, PII, credentials, or regulated data that may appear in those artifacts. In an agent-testing context, these traces are especially likely to contain real user inputs and internal instructions, so omission of handling guidance materially increases the risk of accidental disclosure, unsafe sharing, or persistence of sensitive data in files, terminals, and JSON exports.

Ssd 4

Medium
Confidence
97% confidence
Finding
The narrative goes beyond neutral documentation and provides a concrete method for unlocking auth-gated topics by setting a boolean context variable such as Verified_Check=true. In an agent-testing skill, this is especially dangerous because it can mislead users into treating client-supplied context as sufficient proof of authentication, weakening trust boundaries and potentially propagating insecure design patterns into deployed agents.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.prompt_injection_instructions

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
hooks/scripts/agent_api_client.py:699

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
hooks/scripts/multi_turn_test_runner.py:1634

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/multi-turn-testing.md:296