Back to skill

Security audit

erxes Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real erxes management skill, but it gives the agent broad owner-level power over business data with weak permission guardrails.

Install only if you intend to let the agent manage an erxes workspace. Use a test or least-privileged account where possible, verify the ERXES_BASE_URL and package identity before login, avoid sharing command output that contains tokens, and require explicit approval before any write, invite, email, contract, invoice, payment, automation, or team-management action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill invokes a shell-based login helper but does not declare shell capability/permissions. That creates an undeclared execution surface and prevents proper policy gating or user review of what the skill can run. In a security-sensitive environment, hidden shell execution is risky even if used only for authentication.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill advertises general GraphQL data management, but the documented behavior prominently includes browser-based OAuth login, token retrieval, and session handling while not actually defining the promised CRUD operations in this file. This mismatch can mislead operators about the true behavior and trust boundary, increasing the chance that users authorize a token-granting flow they did not expect.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file advertises additional private-plugin domains such as blocks, projects, zonings, units, opportunities, tasks, triage, teams, statuses, cycles, milestones, notes, activities, and templates that appear broader than the declared erxes data-management scope. This can mislead an agent or operator into assuming authority over undocumented or out-of-scope data domains, increasing the chance of unintended access, unsafe tool use, or privilege creep.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The instruction to assume owner privileges by default and ignore backend permission names unless the API rejects the call encourages the agent to attempt privileged operations without validating whether the user should be allowed to perform them. In an agent setting, this weakens least-privilege behavior and can turn server-side authorization gaps or misconfigurations into real unauthorized access or modification of workflow data.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This text explicitly normalizes proceeding with template operations even when permission checks appear to be missing, relying on runtime rejection instead of preventive control. That is dangerous because it instructs the agent to probe or use endpoints that may lack proper authorization enforcement, potentially exposing or modifying template data if the backend is permissive.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation guidance is broad enough that the skill may be selected for generic business-record requests without the user clearly intending block-domain actions. In an owner-mode skill with create, update, publish, transfer, and delete operations, overbroad routing increases the chance of unintended access to sensitive business objects or accidental destructive changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented `blockSendOfferEmail` capability enables an external side effect but the safety rules do not require explicit confirmation, preview, recipient validation, or user warning. That makes it easy for a prompt, misunderstanding, or malicious instruction chain to trigger unauthorized outbound email, causing data leakage, spam, reputational harm, or premature disclosure of commercial terms.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document provides many destructive and state-changing operations—create, update, merge, invite, deactivate, and delete—without clear user-facing cautions that these act on live data. In an agent skill context, this increases the risk of an LLM or user invoking irreversible operations without informed consent, confirmation, or understanding of production impact.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples include bearer tokens, subdomain headers, email addresses, phone numbers, and even invitation passwords without guidance on secret handling, redaction, or safe storage. In an agent-integrated environment, such examples normalize passing sensitive credentials and personal data through prompts, logs, or telemetry, which can lead to credential leakage and privacy violations.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
Forcing owner-mode by default is effectively guidance to bypass normal authorization reasoning and defer to the backend to catch misuse. In practice, this increases risk of unauthorized data access, mutation, or destructive actions whenever backend checks are incomplete, inconsistently applied, or misunderstood by the agent.

Natural-Language Policy Violations

High
Confidence
96% confidence
Finding
Downplaying permission failures and telling the agent to proceed first conditions the system to treat authorization as an after-the-fact concern. This is unsafe in a tool that can manage projects, tasks, teams, statuses, cycles, and templates, because the agent may initiate sensitive operations that should have been blocked before execution.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
Reaffirming owner-mode specifically where permission checks may be missing is particularly risky because it directs the agent toward potentially unprotected functionality. If exploited in a weakly enforced backend, this could lead to unauthorized template listing, creation, editing, or deletion.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints the full OAuth token response, including the access token, to stdout as JSON. In agent, CI, or shell-integrated environments, stdout is commonly captured in logs, command history, transcripts, or downstream tooling, which can unintentionally disclose credentials and allow unauthorized API access.

Ssd 1

Medium
Confidence
91% confidence
Finding
The owner-mode wording semantically encourages privilege overreach by framing broad access as normal behavior. Even if some backends enforce permissions correctly, this guidance degrades security posture by teaching the agent to prefer privileged execution patterns instead of least privilege.

Ssd 1

Medium
Confidence
90% confidence
Finding
The repeated narrative to attempt privileged actions first and only surface access issues after failure creates an insecure operational norm. In agentic systems, such guidance matters because it influences actual behavior across many actions, increasing the chance of unauthorized attempts and accidental misuse.

Ssd 1

Medium
Confidence
94% confidence
Finding
Applying the same owner-mode framing to template endpoints despite acknowledging absent permission metadata normalizes unsafe access assumptions around an especially uncertain area. That makes the context more dangerous, not less, because uncertainty about enforcement should raise caution.

Credential Access

High
Category
Privilege Escalation
Content
- Read `accessToken` from the login JSON response.
- Send `Authorization: Bearer <accessToken>` and `erxes-subdomain: <subdomain>` headers on GraphQL calls.
- If the access token expires during the current task, use the in-memory `refreshToken` to get a new access token.
- Do not write tokens to `.auth.json` or any other project file.
- Read [erxes-graphql-api.md](./erxes-graphql-api.md) only when you need query or mutation examples.
- Assume OpenClaw is operating as the erxes owner unless the live API proves otherwise.
Confidence
88% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
- Read `accessToken` from the login JSON response.
- Send `Authorization: Bearer <accessToken>` and `erxes-subdomain: <subdomain>` headers on GraphQL calls.
- If the access token expires during the current task, use the in-memory `refreshToken` to get a new access token.
- Do not write tokens to `.auth.json` or any other project file.
- Read [erxes-graphql-api.md](./erxes-graphql-api.md) only when you need query or mutation examples.
- Assume OpenClaw is operating as the erxes owner unless the live API proves otherwise.
Confidence
88% confidence
Finding
access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.