Back to skill

Security audit

zentao-api-old

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ZenTao automation skill, but it handles plaintext credentials, persists reusable sessions locally, and exposes broad create/edit/delete authority over project data with limited safety guidance.

Install only if you are comfortable giving the skill a ZenTao account that can change or delete project data. Use a least-privilege account, keep TOOLS.md out of source control, avoid printing credentials, and remove or protect .zentao/sessions/ when the skill is no longer needed. Treat delete, close, unlink, and bulk-create actions as operations that should require explicit user confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation states that creating a Jenkins server can be performed via GET/POST, which exposes a state-changing operation through a method commonly assumed to be safe and cacheable. This can enable accidental triggering, CSRF exposure, unsafe prefetching by browsers or intermediaries, and inconsistent client behavior around a privileged administrative action.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation defines deletion of Jenkins server configuration as a GET request, which is unsafe because a destructive action can be triggered by visiting a link, loading an image, or automated crawling/prefetching. In an admin integration context, this materially increases CSRF risk and the chance of unintended deletion of CI/CD configuration.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation specifies a destructive delete operation as a GET endpoint, which violates the expected safe/read-only semantics of GET. This can enable accidental or cross-site triggered deletion through link prefetching, crawlers, browser navigation, or CSRF-style abuse if the backend follows the documented behavior.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Documenting case removal as a GET operation creates the same unsafe pattern for mutating application state through a method widely assumed to be non-mutating. If implemented this way, users or systems could unintentionally remove linked test cases through crafted links, embedded resources, or automated requests.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document specifies multiple state-changing endpoints such as create, edit, assign, finish, close, and delete as accepting GET or GET-only. Using GET for unsafe actions breaks HTTP safety assumptions and can enable accidental triggering via link prefetching, crawlers, caches, or CSRF-style attacks because browsers and intermediaries treat GET as a read operation.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The '删除待办' endpoint is documented as a GET request even though it deletes data. A deletion action reachable by GET is especially dangerous because it may be triggered unintentionally by visiting a URL, loading embedded content, automated scanning, or cross-site request mechanisms, resulting in unauthorized or accidental data loss.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The module includes a helper that scrapes ZenTao credentials from a local TOOLS.md file, which expands its behavior from being a normal API client into secret discovery. That creates an unexpected credential-access path and can exfiltrate or misuse stored credentials if this library is invoked in automation or agent contexts where local docs may contain sensitive data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly instructs users to place a ZenTao endpoint, username, and password in a project-root `TOOLS.md` file, which is likely to be stored in plaintext and can be accidentally committed to source control, shared with collaborators, or exposed through tooling that indexes project documentation. In the context of an agent skill that automates API actions, compromised credentials could let an attacker create, modify, or close requirements, tasks, bugs, and releases in the target ZenTao instance.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes destructive operations such as delete and close actions without explicit confirmation, authorization, or user-warning guidance. In an agent setting, this increases the risk of accidental or unsafe state-changing actions against live project-management data, including task or bug deletion.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill describes automatic session persistence to '.zentao/sessions/' without warning about protecting session artifacts or restricting access. Persisted authenticated sessions can be reused by other local users, processes, or compromised tools, potentially enabling unauthorized API actions without reauthentication.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation exposes a generic API debugging endpoint that accepts a file path and action, but provides no warning about the security sensitivity of such functionality. Debug endpoints commonly enable introspection, arbitrary file/module access, or privileged operations, so documenting them as ordinary public API surface increases the risk of misuse or accidental exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
An endpoint described as executing SQL queries based on user-supplied input is inherently dangerous because it suggests direct database query capability through the API. Without strong warnings and strict server-side controls, this kind of interface can lead to unauthorized data access, data modification, or destructive database operations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
An endpoint for retrieving API authentication information is sensitive by nature, because even metadata about authentication schemes, tokens, or account state can aid attackers in reconnaissance or credential abuse. Documenting it without privacy or access-control warnings normalizes exposure of auth-related information and may encourage unsafe implementation or deployment.

Missing User Warnings

High
Confidence
97% confidence
Finding
API key management is a highly sensitive administrative function, and documenting it as a routine GET/POST endpoint with no credential-handling warning is dangerous. If such an endpoint is insufficiently protected, attackers could create, view, rotate, or revoke keys, enabling full compromise of downstream API access and persistent unauthorized control.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The client persists the session ID and cookies to disk in a project-local JSON file, which can allow session hijacking by any local user, process, backup system, or accidental source-control inclusion that gains access to that file. Because these tokens may authenticate to ZenTao without re-entering credentials, compromise of the file can directly enable unauthorized API actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Reading credentials from TOOLS.md without explicit user action or warning is dangerous because documentation files are not an appropriate secret store and may contain plaintext credentials copied for convenience. In an agent or skill environment, this behavior silently broadens access to local secrets and can lead to credential theft or unintended remote actions under a privileged account.

Ssd 3

Medium
Confidence
99% confidence
Finding
The troubleshooting example explicitly instructs printing the full credentials object, which likely contains endpoint, username, and password. This can expose secrets in console output, logs, transcripts, or agent memory, enabling credential theft and subsequent unauthorized access to the ZenTao instance.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.