Timedoctor

Security checks across malware telemetry and agentic risk

Overview

This is a real TimeDoctor API wrapper, but it gives agents access to sensitive employee data and teaches unsafe password and long-lived token handling.

Install only if you trust the publisher and will use an authorized, least-privileged TimeDoctor account. Do not paste your TimeDoctor password into chat; generate or provide credentials outside the agent where possible. Treat TIMEDOCTOR_TOKEN like a password, avoid putting it in shell profiles on shared systems, and use the payroll/screenshot features only where employee monitoring is lawful, expected, and approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill requires environment-variable access and network access to operate, but it does not declare those permissions. That creates a transparency and consent problem: an agent or user may authorize the skill without understanding that it reads secrets from the environment and transmits sensitive data to an external API.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The description presents the skill as a simple time-tracking integration, but the documented commands extend into highly sensitive areas such as payroll, leave, managed users, schedules, and screenshot/file metadata. This mismatch can cause users to underestimate the breadth of access and approve a skill that can retrieve substantially more sensitive employee-monitoring data than advertised.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill description frames the tool as a time-tracking and productivity integration, but the implementation also exposes highly sensitive employee surveillance and compensation data through screenshot/screencast and payroll endpoints. This is dangerous because users may grant or run the skill under a narrower trust assumption than the code actually warrants, leading to unexpected access to intrusive personal data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README advertises access to highly sensitive workforce-monitoring data, including activity logs, screenshots, payroll, and productivity metrics, without any warning about privacy, consent, least-privilege use, or legal/compliance obligations. In an agent skill context, this increases the chance that users or agents will retrieve employee surveillance data casually or inappropriately.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README recommends persisting a long-lived JWT token in shell startup files, which exposes credentials to local compromise, accidental disclosure, backups, shared environments, and downstream processes. Because the token is valid for months and grants access to sensitive company monitoring data, persistence materially raises credential exposure risk.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The instructions tell the agent to ask the user for their TimeDoctor email and password directly in chat, with no warning about credential sensitivity, storage, or safer alternatives. Collecting account passwords through a conversational agent significantly increases the risk of credential theft, logging exposure, replay, and mishandling by downstream systems.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The documentation encourages storing a long-lived JWT in an environment variable and even shows a realistic example token, but it does not warn that the token is a sensitive bearer credential valid for months. Long-lived bearer tokens are highly valuable targets; if exposed in shell history, logs, screenshots, or process environments, they can enable persistent unauthorized access.

Missing User Warnings

High

Confidence: 92% confidence
Finding: The skill advertises access to employee monitoring, productivity, payroll, and screenshot-related data without any privacy, consent, or least-privilege guidance. Because these data types are highly sensitive and potentially intrusive, omitting warnings increases the chance of misuse, overcollection, or deployment in contexts where users and employees do not understand the surveillance implications.

Ssd 3

High

Confidence: 99% confidence
Finding: These instructions direct the agent to collect credentials, run a login flow, extract the returned token, and then display/export that secret back into the conversation. This is dangerous because both the password and the resulting bearer token may be captured in chat logs, tool logs, transcripts, or UI history, turning the agent into a secret-handling and secret-exfiltration channel.

Ssd 3

High

Confidence: 99% confidence
Finding: The example workflow explicitly instructs the agent to ask for credentials, authenticate on the user's behalf, and then return the acquired token verbatim. That normalizes unsafe secret handling and creates a concrete exfiltration pattern where long-lived credentials are surfaced in plain text, greatly increasing compromise risk.

Unpinned Dependencies

Low

Category: Supply Chain
Content: httpx>=0.27.0
Confidence: 97% confidence
Finding: httpx>=0.27.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal