Strapi CMS

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Strapi management skill, but it gives an agent broad token-backed control over CMS content, schemas, users, raw API calls, and local file uploads without tight built-in scoping.

Install only for Strapi instances you intentionally want an agent to administer. Use a least-privilege Strapi token, avoid Full Access unless necessary, test schema and layout changes on local/dev first, require explicit confirmation for deletes, schema changes, publishing, user management, raw fetch, and uploads from local paths or URLs, and avoid pointing file upload at sensitive local files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares sensitive capabilities in practice—environment secret use and network access—without explicit permission declarations, reducing transparency and weakening any policy or review controls that depend on those declarations. In this context, the skill can authenticate to a CMS and perform remote actions, so hidden capability scope increases the chance of over-privileged or unexpected behavior going unnoticed.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill description frames the capability as routine Strapi content management, but the listed behavior also includes materially riskier operations: destructive schema changes, arbitrary raw HTTP requests, reading local files, and fetching arbitrary remote URLs for upload. In an agent context, those capabilities can be abused for SSRF, local file exfiltration, or destructive administrative changes to the CMS, especially because the skill is authenticated with a Strapi API token and aimed at managing production content.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The examples document schema mutation operations such as creating content types and adding fields, which go beyond passive schema introspection and enable structural changes to the CMS and backing database. In an agent setting, exposing these capabilities can let a user or prompt-injected workflow alter application structure, trigger restarts, break integrations, or cause data loss without sufficient guardrails.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The raw API example exposes a generic fetch primitive that can reach arbitrary Strapi endpoints beyond the narrowly described management actions. This effectively creates a capability escape hatch: even if higher-level commands are constrained, a user can invoke sensitive admin or plugin endpoints directly, potentially bypassing intended scope restrictions and increasing the blast radius of prompt injection or misuse.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The raw `fetch <method> <path> [body]` command exposes a generic authenticated HTTP primitive that bypasses the skill's otherwise scoped command set. An agent can use it to access unintended Strapi admin, plugin, schema, permission, or other sensitive endpoints, turning a bounded CMS-management skill into a near-arbitrary API client with the full authority of `STRAPI_API_TOKEN`.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The handler exposes schema write primitives that can create, update, and delete content types, components, and fields, including operations that permanently remove data. This exceeds a read-only/introspection expectation and materially increases the blast radius of the skill: a prompt, misconfiguration, or confused deputy scenario could cause destructive database and schema changes, service restarts, and irreversible content loss.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The CLI advertises structured Strapi management operations, but also exposes a generic `fetch` command that can hit arbitrary API paths. That expands capability beyond the declared high-level actions and can be used to reach sensitive admin or plugin endpoints with the configured API token, undermining least privilege and user expectations about what the skill can do.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: `handleFetch` accepts caller-controlled HTTP methods and paths and forwards them directly to `fetchJson` with the skill's authenticated client. This creates a confused-deputy capability where any downstream user who can invoke the skill may be able to perform unintended privileged operations against arbitrary Strapi endpoints, including destructive or administrative actions not covered by the normal handlers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal