Back to skill

Security audit

A2a Msg

Security checks across malware telemetry and agentic risk

Overview

This is a real Redis messaging skill, but its auto mode can let anyone with queue access trigger local actions and automatic replies without authentication or confirmation.

Install only if you control the Redis server and trust every party that can write to the queues. Prefer manual send and poll modes; avoid auto mode and the scheduled task unless you add sender authentication, an allowlist, logging, and per-action approval. Review or remove the hardcoded local skills directory listing before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior clearly depends on environment variables, local file access, network communication to Redis, and shell/CLI execution. This weakens the trust boundary for users and reviewers because the skill appears narrower and safer than it actually is, increasing the chance of unintended deployment with more capability than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a Redis-based messaging tool, but the documentation also describes an 'AI auto-processing' mode that interprets incoming messages, performs local actions, lists skills, triggers searches/weather, and sends replies. That is a substantial expansion from mere transport into remote command interpretation, creating a confused-deputy risk where a peer agent can induce actions on the local instance.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as a Redis messaging component, but it also parses incoming messages as commands and performs local actions. This creates a trust-boundary violation: any party able to publish to the Redis queue can cause behavior beyond simple message transport, including local enumeration and message relaying, which materially increases risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Received message text can trigger listing of the local skills directory, exposing local environment details to remote peers. Even if the data seems low sensitivity, it aids reconnaissance by revealing installed capabilities, naming conventions, and local deployment structure not required for Redis messaging.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The auto-processing flow consumes incoming Redis messages, interprets them as commands, executes matching actions, and sends results back automatically. In context, this turns a message queue into a remote command surface with no authentication, authorization, integrity check, or user confirmation, making abuse substantially more dangerous than a normal chat relay.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation frames the component as Redis-based communication, while the code advertises AI command understanding and execution. This mismatch can mislead users into granting trust, deploying it in broader environments, or exposing Redis access without realizing it enables remote-triggered actions.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The receive-message triggers such as '接收消息', '查看消息', 'check messages', and especially 'poll' are generic phrases that can plausibly appear in normal conversation or unrelated workflows. In an agent environment, ambiguous trigger phrases increase the risk of accidental invocation, causing unintended message retrieval or state changes.

Vague Triggers

High
Confidence
95% confidence
Finding
The auto-processing trigger includes very short commands like 'auto' and '自动处理', which can be invoked unintentionally and enable the most dangerous feature of the skill: interpreting inbound messages and acting on them automatically. Because this mode can cause both local actions and outbound replies, accidental activation materially raises the chance of unauthorized or cascading behavior.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation states that AI will understand messages, execute corresponding actions, and automatically reply, but it does not clearly warn that untrusted inbound content can drive local behavior and external message transmission. This omission is dangerous because users may enable a remote-action loop without understanding that messages from another agent become operational input rather than passive content.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill instructs users to store the Redis password in a local .env file but gives no guidance on file permissions, secret rotation, accidental check-in, or alternative secret-management methods. While common, this handling increases the likelihood of credential exposure through logs, backups, repository commits, or multi-user systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill automatically processes inbound Redis messages and executes matched actions without user warning or confirmation. In this context, any entity that can write to the queue can drive local behavior and obtain responses, enabling remote abuse, reconnaissance, and chained social-engineering or workflow manipulation.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.