Pingcode Enhanced

Security checks across malware telemetry and agentic risk

Overview

This looks like a real PingCode helper, but it can access sensitive company data and is documented to change work items without adequate safeguards.

Install only with a dedicated least-privilege PingCode app, preferably read-only unless you intentionally need work-item updates. Treat update commands as sensitive actions requiring explicit human confirmation, avoid writing reports to shared or synced paths, and avoid broad directory or wiki queries in terminals or transcripts that may be logged. Also verify the scripts before relying on them, because most included Python files currently contain syntax errors.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill requires environment secrets and clearly documents network access to PingCode APIs plus local file output, but it declares no explicit permissions or safety boundaries. This creates a transparency and consent problem: users and platforms cannot accurately assess that the skill can access sensitive enterprise data and write files locally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The description frames the skill primarily as a query/integration tool, but the documented behavior includes mutating work items, generating reports to disk, and retrieving comments, work hours, followers, and other potentially sensitive metadata. This mismatch can mislead users into authorizing a tool they believe is read-only, increasing the risk of unintended data modification or broader data exposure.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The script computes a `since` timestamp from `--days` and tells users the results are limited to the last N days, but it never uses that value in the API request or local filtering. This creates a logic flaw that can expose older test-run data than the operator intended, which is a confidentiality and least-surprise issue in a data-querying skill.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation shows commands that directly modify assignee, dates, priority, and status without any warning to confirm intent or verify authorization. In an agent setting, this can lead to accidental or unauthorized project changes that disrupt workflows, alter accountability, or damage planning data.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The weekly report example writes to a local file path without warning about file creation, overwrite behavior, or sensitive report contents. In practice this can cause unintentional overwrites or leave internal project summaries on disk in locations accessible to other users or processes.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The organization queries expose personal and directory information such as email, phone, roles, and department data without any privacy warning or usage constraints. In an enterprise environment, this increases the risk of unnecessary PII access, internal enumeration, or misuse of staff contact information.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The wiki examples include retrieving full page content without warning that internal knowledge-base pages may contain sensitive business, technical, or security information. This makes inadvertent disclosure more likely, especially when an agent is used broadly across projects or by users with varying expectations about data sensitivity.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The documentation shows obtaining OAuth tokens with client_id and client_secret in the URL query string. Query parameters are commonly logged by clients, proxies, gateways, browser history, and monitoring systems, which can leak long-lived credentials and allow unauthorized API access if exposed.

Missing User Warnings

Medium

Confidence: 75% confidence
Finding: The script transmits API credentials to an external service without any explicit user-facing notice at runtime beyond failing when variables are absent. In an agent-skill context, undisclosed outbound transmission of secrets is more sensitive because users may invoke the skill without realizing that locally provided credentials will be sent off-box to a third-party API.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script can print directory PII including email addresses and phone numbers for all users or for a selected user, and it does so without access controls, redaction, or any explicit warning. In an agent-skill context, this increases the risk of oversharing sensitive organizational directory data to logs, terminals, transcripts, or downstream tools beyond the minimum necessary output.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal