Deskbird-Automator

Security checks across malware telemetry and agentic risk

Overview

This skill is aimed at Deskbird automation, but it handles live session credentials through Telegram and includes broad authenticated API debugging tools that need review before installation.

Install only if you are comfortable giving this skill recurring Deskbird account authority. Avoid pasting cookies or full session headers into Telegram unless you trust the bot, logs, and storage path; prefer a local or scoped auth method, review any cron prompt carefully, start booking flows with dry-run, and rotate or revoke Deskbird/Firebase credentials when you stop using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill exercises environment access, file read/write, and networked operations but does not declare permissions, which weakens reviewability and policy enforcement. In a skill that handles authentication material and can create cron automation, hidden capabilities materially increase the chance of overreach or misuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is Deskbird automation, but the behavior described by the finding includes generic request capture, replay, arbitrary API probing, and broad auth import capabilities. Those features enable reverse engineering and reuse of authenticated traffic beyond the stated scope, making the skill far more powerful and risky than users would reasonably expect.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file is presented as a Deskbird automation helper, but it explicitly implements reverse-engineering, browser traffic capture, replay, and arbitrary API interaction capabilities. Those features materially exceed the declared automation scope and enable credential collection and unauthorized endpoint experimentation, making the skill far more dangerous in an agent setting.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The capture command records arbitrary browser XHR/fetch traffic and can persist request/response data to disk, including an option to retain secrets unredacted. In an agent workflow this can collect authentication tokens, cookies, personal data, and unrelated application traffic far beyond the minimum necessary for Deskbird automation.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The replay functionality resends previously captured requests to recorded endpoints using live auth headers from the environment. This creates a generic mechanism for repeating sensitive or state-changing actions against potentially arbitrary endpoints, which is not justified by the stated parking/auth use case.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The probe command allows arbitrary methods, URLs/paths, headers, params, and bodies while automatically attaching Deskbird auth from the environment. That effectively gives the skill a generic authenticated HTTP client that can be abused to access undocumented endpoints or misuse stored credentials beyond the intended task scope.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The description emphasizes controlled and safe auth handling, but the code contains broad reverse-engineering and anti-abuse-aware pacing/retry behavior. This mismatch can mislead reviewers or operators into trusting a tool that has materially riskier capabilities than its framing suggests.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly tells users to paste live authentication headers and tokens into Telegram chat without a clear warning that these are sensitive bearer credentials that may be exposed to chat logs, bot operators, or downstream systems. Compromise of these headers can allow account takeover or unauthorized Deskbird actions for the session lifetime and possibly longer if refresh material is included.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The template explicitly instructs users to copy live Deskbird authorization material from browser DevTools and paste it into Telegram, which is a separate messaging channel with broader exposure, retention, and forwarding risk. Because these headers/tokens can grant account access or session replay, interception, bot compromise, chat history leakage, or operator mishandling could expose workplace booking data and enable unauthorized actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The parking-book-first command performs a live booking request immediately once a spot is selected, without an explicit confirmation prompt at execution time. In an autonomous or semi-autonomous agent context, this can cause unintended reservations and operational disruption from accidental invocation or misunderstood parameters.

Ssd 3

High

Confidence: 99% confidence
Finding: Directing a user to paste live Authorization, Cookie, CSRF, and related headers into chat and then ingesting them for reuse is a classic secret-handling failure. These values can be replayed to impersonate the user and perform bookings or other authenticated actions, and the skill normalizes this unsafe collection pattern as the default reauthentication method.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal