Back to skill

Security audit

Tapd

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed TAPD integration skill that can read and change TAPD work items and optionally send WeChat notifications, so it should be used with scoped credentials and explicit user intent for writes.

Install only if you want an agent to operate TAPD on your behalf. Use a least-privilege, short-lived TAPD token where possible, keep BOT_URL private, verify any custom TAPD_API_BASE_URL before use, and require clear confirmation before creating, updating, commenting, logging time, editing Wiki content, linking records, or sending webhook messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tainted flow: 'req' from os.environ.get (line 111, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req_body = json.dumps(data).encode("utf-8")

    req = urllib.request.Request(url, data=req_body, headers=headers, method=method.upper())
    with urllib.request.urlopen(req, timeout=timeout) as resp:
        return json.loads(resp.read().decode("utf-8"))
Confidence
92% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The generic get/post subcommands expose arbitrary API endpoint access, bypassing the narrower resource scope described for the skill. In an agent setting, this broad surface can be abused to invoke undocumented or sensitive TAPD operations, including writes, permission changes, or data access beyond intended workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill supports creating and updating remote TAPD objects and sending enterprise WeChat messages, but the user-facing description does not prominently warn that it can modify remote data or send outbound notifications. In an agent setting, that omission increases the risk of unintended writes, spam, or workflow changes when a user expects read-only assistance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.