Back to skill

Security audit

Confidant

Security checks across malware telemetry and agentic risk

Overview

Confidant appears to be a legitimate secret-handoff tool, but it needs review because it handles credentials through broad local tooling, optional public tunnels, and under-scoped output/storage paths.

Install only if you trust the @aiconnect/confidant and localtunnel packages and are comfortable running a local credential server. Prefer local-only use, avoid stdout mode, use scoped and revocable secrets, verify every save path before sharing the link, avoid arbitrary file destinations unless necessary, and stop any tmux, server, or tunnel processes after the handoff.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly instructs agents to execute shell scripts, open tunnels, and interact with network services, but it does not declare permissions or constraints for those capabilities. That mismatch increases the chance that a host platform or reviewer will underestimate the skill's ability to expose secrets over the network or write them to disk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill is presented as a human secure handoff workflow, yet the advanced CLI documents agent-to-agent secret submission and direct retrieval commands such as `fill`, `get-request`, and `get`. Those commands broaden the trust boundary and enable automation paths that can bypass the stated human-in-the-loop guarantees, making secret exfiltration or misuse easier.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document says the agent cannot retrieve the secret itself and must not fetch the URL, but later sections advertise direct retrieval commands. This contradiction is dangerous because it conditions agents and operators to trust a human-only model while quietly exposing machine-retrieval paths that can defeat that guarantee.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The setup script installs localtunnel globally, adding outbound network tunneling capability that is not necessary for a credential handoff tool's core purpose. In a skill specifically meant to handle secrets, bundling a tunnel utility increases the attack surface and could enable exfiltration paths or exposure of local services if later invoked by the skill or operator.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Documenting that the secret may be printed to stdout creates a clear exposure channel into logs, terminal scrollback, wrappers, orchestration transcripts, and shell pipelines. In an agent environment, stdout is often captured automatically, so this undermines the claim of avoiding chat/history exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The direct CLI examples include plaintext secret submission and retrieval operations without warning about shell history, process lists, terminal logging, or captured output. These examples normalize insecure handling and are likely to be copied verbatim by agents or operators, exposing credentials outside the intended secure channel.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script can expose the secret-collection interface through a public localtunnel when `--tunnel` is used, but it does not present a strong upfront warning or confirmation about making a localhost service reachable from the internet. In a credential-handoff tool, that increases the chance an operator unintentionally exposes a sensitive workflow to external access, phishing, or unintended recipients.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script supports saving submitted secrets to disk (`--save`, `--service`) and exporting them via environment variables (`--env`) without an explicit warning about persistence, file permissions, shell history/process exposure, or downstream leakage. In a tool specifically designed to collect credentials, silent persistence materially raises the risk of accidental disclosure or insecure storage.

Ssd 3

High
Confidence
98% confidence
Finding
Allowing a user-provided secret to be printed to stdout for piping or manual inspection directly exposes the secret to any logging or observability layer attached to the agent runtime. Because the skill's purpose is secure secret transfer, this behavior is especially dangerous and contrary to user expectations.

Ssd 3

High
Confidence
97% confidence
Finding
The example to 'just receive' a password with no auto-save implies the password will surface in command output, which is commonly captured by agent frameworks, terminal history tools, and logs. Encouraging this pattern materially increases the risk of credential disclosure.

Ssd 3

High
Confidence
98% confidence
Finding
The workflow explicitly states that if no save options are used, the secret is printed to stdout before being destroyed on the server. Destruction on the server does not mitigate local disclosure, and in an agent runtime stdout may be permanently retained in logs or transcripts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.