Back to skill

Security audit

Moodle Connector

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Moodle connector, but it needs review because it handles account tokens and private course data while exposing overbroad download/write behavior and inconsistent credential documentation.

Review before installing. Use only with trusted local MCP clients, avoid the hardcoded test-pass path, protect or exclude config.json, credentials.enc, cache, and downloads from commits/backups, and restrict downloads to trusted Moodle URLs and safe output directories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents capabilities to read environment variables, read/write local files, and access the network, but does not declare corresponding permissions or boundaries. This creates a transparency and consent failure: users may invoke a skill that handles secrets, persists tokens, and downloads remote content without an explicit permissions model.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documentation materially overstates and misstates behavior, including claiming broader SSO support than appears implemented and omitting important data-handling behaviors such as local credential storage, caching, and token fallback flows. In security-sensitive tooling, this can lead users to trust unsupported authentication paths, misunderstand where secrets are stored, and deploy the skill in inappropriate environments.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The claim of 'No external data transmission or logging' conflicts with the documented function of a Moodle REST client that authenticates via SSO, fetches user data, and downloads files over the network. Misrepresenting network data flows can cause users to underestimate privacy and exposure risks when supplying tokens, SSO credentials, or course data.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code claims to sanitize errors, but it returns the raw RuntimeError text to the MCP client. If downstream code raises RuntimeError values containing secrets, file paths, environment details, configuration state, or authentication diagnostics, those details are exposed over the MCP interface and can aid further compromise.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description does not define clear activation constraints, allowed scopes, or trigger boundaries despite exposing broad operations like login, downloads, summaries, and MCP tooling. In agent-integrated contexts, vague boundaries increase the chance of overbroad invocation, unintended data access, or unsafe autonomous use with sensitive credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The headless workflow states that authentication tokens are saved automatically to config.json, but it does not prominently warn that this creates sensitive local state that may be exposed through insecure file permissions, artifacts, backups, or accidental commits. In CI/CD environments, this is especially risky because workspace files are often retained or shared across jobs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The configuration examples include plaintext tokens and client secrets without an immediate, explicit warning about safe storage, rotation, and exclusion from source control. Users frequently copy examples verbatim, so insecure examples can normalize unsafe handling of production credentials.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The downloader writes files using names taken from the configuration without validating or constraining the resulting path. A crafted filename such as '../sensitive.txt' or an absolute path could cause files to be written outside the intended module/output directory, leading to arbitrary file overwrite within the privileges of the user running the script.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The download command accepts an arbitrary URL and writes the fetched content to a caller-controlled path, which can overwrite files if the process has permission. In an agent/integration context, this is dangerous because untrusted input can be turned into local file writes, enabling file clobbering, persistence, or dropping malicious payloads on disk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.