Back to skill

Security audit

Oauth Helper

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it automates sensitive login and OAuth flows while sending authentication-related information through Telegram, so it should be reviewed carefully before use.

Install only if you are comfortable letting the agent operate login and OAuth pages in your browser. Use a dedicated browser profile or test accounts where possible, verify the relying party, provider, and requested scopes before any approval, and avoid using it with sensitive personal or business accounts unless Telegram screenshots and login-state exposure are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as an OAuth helper with Telegram confirmation, but the documented provider flows include direct username/password and 2FA field interaction for Apple, Microsoft, GitHub, Discord, and QQ. That mismatch materially expands the trust boundary from consent automation to credential-handling automation, which can enable credential collection, misuse of stored sessions, and unsafe operation on login pages users may not expect the agent to control at that depth.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill claims support for 7 providers, but the usage example shows detection and selection of Facebook and Yahoo on arbitrary third-party sites. This discrepancy means the effective scope is broader than advertised, increasing the chance the agent will interact with unreviewed identity flows or misleading UI elements beyond the documented trust model.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow sends login-related prompts and, elsewhere in the skill, screenshots over Telegram without clearly warning users in the description that authentication metadata may leave the browser context. Even if intended for user confirmation, transmitting site names, QR codes, consent screens, or login-state screenshots over a messaging platform creates an additional exposure channel for sensitive information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prerequisites require the browser profile to already be logged into multiple identity providers, but the description does not clearly warn that the skill depends on privileged, pre-authenticated sessions. That context makes accidental or unauthorized account linking more dangerous because a simple click sequence can authorize third-party access without re-authentication.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Sending failure screenshots for debugging can expose passwords, email addresses, QR codes, consent scopes, session identifiers visible in the UI, or other sensitive authentication artifacts. In the context of an OAuth/login automation skill, screenshots are especially risky because they may capture high-value account and authorization details at the most sensitive stage of the workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.