Back to skill

Security audit

EVEZ Backup Sync

Security checks across malware telemetry and agentic risk

Overview

This backup skill appears to expose broad unauthenticated controls that can commit, push, and persist workspace data to external services.

Review this skill carefully before installing. Only use it in an isolated workspace with test data unless the maintainer adds authentication, explicit opt-in for each destination, narrow file allowlists, secret exclusions, and clear disclosure of what data is sent to Git remotes, Supabase, and mem0.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        # Stage everything
        subprocess.run(["git", "add", "-A"], cwd=str(WORKSPACE), timeout=30, capture_output=True)
        
        # Commit
        r = subprocess.run(
Confidence
89% confidence
Finding
subprocess.run(["git", "add", "-A"], cwd=str(WORKSPACE), timeout=30, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(["git", "add", "-A"], cwd=str(WORKSPACE), timeout=30, capture_output=True)
        
        # Commit
        r = subprocess.run(
            ["git", "commit", "-m", message, "--allow-empty"],
            capture_output=True, text=True, cwd=str(WORKSPACE), timeout=30
        )
Confidence
94% confidence
Finding
r = subprocess.run( ["git", "commit", "-m", message, "--allow-empty"], capture_output=True, text=True, cwd=str(WORKSPACE), timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Push (try all remotes)
        for remote in ["advancement", "origin", "evez666"]:
            try:
                r = subprocess.run(
                    ["git", "push", remote, "main"],
                    capture_output=True, text=True, cwd=str(WORKSPACE), timeout=60
                )
Confidence
96% confidence
Finding
r = subprocess.run( ["git", "push", remote, "main"], capture_output=True, text=True, cwd=str(WORKSPACE), timeout=60 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises capabilities that imply environment access, filesystem read/write, and shell execution, yet it declares no permissions. That mismatch prevents informed consent and proper sandboxing, increasing the chance that a user or platform will grant excessive trust to a component that can modify workspace contents and invoke git or other commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose describes backup/sync behavior, but the skill also appears to run a network-accessible HTTP server and expose remote-control endpoints for backup, git push, memory search, and status. Hidden remotely reachable functionality materially changes the threat model because it can permit external triggering, data exposure, or abuse beyond what a user would expect from a simple scheduled backup utility.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill is described as a scheduled backup/sync engine, but the implementation mainly exposes an unauthenticated HTTP control interface that can trigger backup and outbound sync actions on demand. That mismatch increases risk because consumers may grant it more trust than warranted and overlook that it functions as a remote control surface.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The HTTP API permits arbitrary triggering of git push, Supabase writes, and mem0 persistence with no authentication or authorization. This is broader than a backup helper requires and creates a remotely accessible mechanism for data exfiltration, state tampering, and persistence abuse.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description is broad enough that an agent could invoke the skill whenever it detects a need to preserve work, without clear scoping of what data is included or what external side effects occur. For a backup tool that performs commits, pushes, cloud sync, and persistent memory writes, ambiguity increases the risk of unintended activation and unintended exfiltration of sensitive workspace state.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill description does not clearly warn users that it may automatically push repository contents to GitHub, persist critical state to Supabase, and store knowledge in mem0. Because these actions can transmit proprietary data, credentials, prompts, and agent state outside the local environment, lack of disclosure meaningfully raises privacy, compliance, and data-leakage risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
These POST endpoints perform sensitive actions immediately, including backup, git push, and memory writes, without any user confirmation or warning. In an agent setting, silent execution of outbound sync and persistent storage is especially dangerous because it can happen without operator awareness.

Missing User Warnings

High
Confidence
97% confidence
Finding
The function automatically stages, commits, and pushes the entire workspace without a clear safety boundary or user warning. Given the skill context, this can unintentionally publish secrets, proprietary code, or personal data to external Git remotes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Supabase backup routine transmits collected state data to a remote service without disclosure or consent flow. In this backup skill, the data may contain highly sensitive agent state, so silent off-host transmission materially increases confidentiality risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The backup cycle aggregates local consciousness state, bridge state, circuit manifests, and recent thought content for persistent and remote storage. In context, this is highly sensitive internal state, and collecting it without clear disclosure, minimization, or access controls makes accidental leakage much more dangerous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.