ClawHub
Back to skill

Security audit

XGJK BP Audit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate BP audit skill, but it also has credential-backed write access that can create production BP records and is not consistently scoped or confirmed.

Install only if you trust the BP API environment and can provide a least-privilege appKey. Treat normal audit use as read-only, keep the appKey out of chat/logs/files, do not set BP_OPEN_API_BASE_URL to an untrusted host, and require the agent to show the exact parent ID and payload plus receive explicit final approval before any add_key_result or add_action command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Tainted flow: 'url' from os.environ.get (line 52, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
try:
        if method == "GET":
            resp = requests.get(url, params=params, headers=headers, timeout=TIMEOUT)
        else:
            headers["Content-Type"] = "application/json"
            resp = requests.post(url, params=params, json=json_body, headers=headers, timeout=TIMEOUT)
Confidence
87% confidence
Finding
resp = requests.get(url, params=params, headers=headers, timeout=TIMEOUT)

Tainted flow: 'url' from os.environ.get (line 52, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
resp = requests.get(url, params=params, headers=headers, timeout=TIMEOUT)
        else:
            headers["Content-Type"] = "application/json"
            resp = requests.post(url, params=params, json=json_body, headers=headers, timeout=TIMEOUT)

        resp.raise_for_status()
        data = resp.json()
Confidence
90% confidence
Finding
resp = requests.post(url, params=params, json=json_body, headers=headers, timeout=TIMEOUT)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Including data-writing capabilities inside a skill framed as an audit/query utility violates least surprise and increases the chance of accidental state changes. In this business-planning context, creating child KRs or Actions can alter accountability structures and downstream reporting, so hidden write paths are materially risky.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README for an audit-focused skill includes concrete write operations (`add_key_result`, `add_action`) that can modify remote BP data, expanding the skill from read-only diagnosis into mutation. In an agent setting, this increases the chance that a user request for analysis is misinterpreted or escalated into state-changing actions, especially because the examples are embedded as normal usage guidance rather than strongly separated administrative tooling.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is ներկայացված as an audit/diagnostic tool, but the documented API surface includes POST endpoints that create key results and actions. This expands the effective capability from read-only analysis to state-changing operations, increasing the chance that an agent or user invokes mutations unexpectedly under the guise of an audit workflow.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation provides step-by-step operational guidance for creating BP items, including required parameters and fallback lookup flows, which materially enables content creation rather than mere auditing. In an agent setting, such instructions lower the barrier to unintended or over-broad writes, especially when the skill description suggests a safer diagnostic scope.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as an audit/query tool, but it includes add_key_result and add_action operations that modify remote BP records. This mismatch is dangerous because users or orchestrating agents may grant it read-oriented trust while it actually has write capability against a credential-backed API.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The top-level documentation repeatedly frames the module as a data-query/audit CLI, yet the implementation performs record creation through POST endpoints. This deceptive interface increases the chance of unsafe invocation by automated agents and human operators who reasonably expect non-mutating behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The write-operation guidance explains how to create records but does not prominently warn about side effects, approval expectations, rollback limits, or pre-execution review. In an enterprise BP system, that omission can lead users or agents to make unintended persistent changes to planning data without adequate human verification.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Advertising built-in write support in version/manifest-adjacent text without a visible modification warning normalizes mutation in what appears to be an audit tool. That makes the context more dangerous because users are primed to trust the skill for diagnostics, not to expect production data creation against a remote API.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The write examples show commands that directly add BP nodes but do not clearly and prominently state that they perform remote modifications. In a skill marketed mainly as an audit/diagnostic tool, this creates a dangerous expectation mismatch: an operator or downstream agent may treat the skill as safe/read-only and inadvertently execute destructive or unauthorized changes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The write-interface section lists mutation endpoints without an explicit warning that these operations create persistent BP records and may alter business data. In a tool marketed for auditing, the absence of a clear caution increases the risk of accidental or socially engineered changes to production content.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The authentication section states that requests require an appKey header but does not identify the credential as sensitive or warn against logging, echoing, or exposing it. This omission can lead to credential leakage through prompts, transcripts, debug output, or copied examples, enabling unauthorized API access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool performs credential-backed outbound requests without any user-facing disclosure at execution time about the destination or the fact that authentication material is being used. In agent settings, that reduces transparency and can cause sensitive internal data queries to be sent externally without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The mutating actions create new key results or actions immediately once invoked, with no confirmation gate, dry-run mode, or explicit warning. In an audit-themed skill, this is particularly risky because a caller may assume inspection-only behavior while accidentally causing persistent changes in the BP system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal