Back to skill

Security audit

Gong

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Gong API helper that can access sensitive Gong data only when the user supplies Gong credentials.

Install only if you want an agent to use your Gong API key to retrieve users, calls, transcripts, and activity data. Use a dedicated least-privilege Gong API key, restrict permissions on ~/.config/gong/credentials.json, avoid sharing raw transcripts in insecure channels, and confirm the configured base_url is your official Gong API domain.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs use of shell commands such as curl, jq, base64, and date, but does not declare permissions for shell/network-capable behavior. This creates a transparency and governance gap: consumers may not realize the skill can invoke commands that access local credential files and transmit data to external services.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill provides direct instructions for listing users, calls, and especially retrieving call transcripts, which may contain highly sensitive business, personal, or regulated information. Without any privacy warning, data handling guidance, or authorization expectations, the skill increases the chance of over-collection, accidental disclosure, or misuse of conversation intelligence data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The authentication example shows extracting access and secret keys from a local file and using them in a Basic Authorization header for outbound requests, but gives no warning about credential sensitivity, shell history exposure, process inspection, or secure storage practices. This can lead to credential leakage or careless reuse in insecure environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.