Security audit

PassManager

Security checks across malware telemetry and agentic risk

Overview

This password-manager skill is purpose-aligned, but its own artifacts indicate unsafe secret-handling guidance and security controls that appear under-scoped for credential storage.

Install only after reviewing the implementation and documentation carefully. Avoid using real credentials until command-line secret exposure is fixed, access control is enforced in code, backup/export handling is hardened, and destructive or bulk operations have clear confirmations and recovery guidance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The document claims version 1.0.0 provides AES-256-GCM encryption, but the changelog says v1.0.0 actually used only deprecated base64 obfuscation. This kind of security-documentation contradiction can cause operators to deploy or trust a version that does not protect secrets at all, leading to plaintext-equivalent credential exposure.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The code defines a role model via check_permission(), but none of the sensitive operations actually enforce it. Any caller who can invoke methods or CLI commands can add, read metadata, delete credentials, manage team members, run backups/restores, and view audit logs without authorization checks, which completely breaks the claimed enterprise access-control boundary.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The backup routine copies both the encrypted credential database and the .master_key verification material, and restore imports both back. While the copied key file is not the plaintext encryption key, bundling all key-verification material with the ciphertext materially lowers operational separation and creates a full offline crackable export of the password vault for anyone who can access the backup.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README instructs users to pass the master password and account password directly on the command line and to use a password-revealing flag, but it gives no warning that these values may be exposed via shell history, process listings, terminal scrollback, logs, or screen recording. In a password-management skill, this is especially dangerous because the documentation normalizes insecure secret handling and can directly lead to credential disclosure on multi-user systems or monitored environments.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The quick-start examples instruct users to pass both the master password and stored credential password directly as command-line arguments. On many systems, command-line arguments can be exposed through shell history, process listings, logs, or terminal recordings, which can leak highly sensitive secrets even if the underlying storage uses strong encryption.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The manifest examples include master passwords and account passwords directly on the command line, which encourages unsafe secret handling. Command-line secrets are commonly exposed through shell history, process listings, terminal logs, screenshots, and agent telemetry, making credential compromise more likely even if the underlying storage is encrypted.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents destructive commands like delete, update-assistant, and delete-assistant without any warning, confirmation flow, rollback guidance, or scope restrictions. In a password-management context, this increases the chance of accidental credential loss, privilege mistakes, and irreversible administrative changes by users or automation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Restore and export operations are highly sensitive in a password manager because they can overwrite trusted data or produce files containing credential material. Documenting them without integrity validation, backup warnings, or secure-output handling guidance increases the risk of credential disclosure, corruption, or malicious rollback from untrusted backup files.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Bulk import/export features magnify the blast radius of mistakes because a single command can expose or modify many credentials at once. In this context, omitting warnings about validation, encryption, and review of batch files makes accidental mass disclosure or corruption much more likely.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The deployment example stores backups in S3 without any mention of bucket policies, encryption, key management, network restrictions, or access logging. Because backups of a password manager are especially sensitive, insecure remote storage can expose the entire credential database even if the live system is protected.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The training guide provides operational commands to query, add, update, delete, export, restore, and manage password data, including destructive actions and sensitive retrieval flows, but it does not consistently warn about authorization requirements, production-vs-test separation, confirmation steps, or the risk of exposing secrets in terminal output and exported files. In a password-management context, such instructions can normalize unsafe handling of credentials and lead assistants to retrieve or modify real secrets without sufficient safeguards.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.