Confluence

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Confluence helper skill whose credential use and page-management commands match its stated purpose.

Install only if you trust the confluence-cli npm package and are comfortable granting it access to your Confluence account. Treat the Atlassian API token and ~/.confluence-cli/config.json as sensitive, and review page IDs, space keys, and content before allowing create or update commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The setup instructions direct the user to obtain and enter an API token, but they do not warn that the token is a sensitive secret or that the CLI stores configuration locally in a file. This increases the risk of credential leakage through shell history, screenshots, copied transcripts, or insecure local file permissions, which could allow unauthorized access to Confluence.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal