Security audit

Muse Installer

Security checks across malware telemetry and agentic risk

Overview

The skill is broadly coherent as a Muse installer, but it needs review because it asks for a Telegram bot token in chat and persists inferred profile data without enough safety guidance.

Review the repository before running the installer, because it pulls and runs remote code as a background local service. Treat Telegram bot tokens as secrets: do not paste a real token into ordinary chat, and rotate it if exposed. Also consider whether you are comfortable sharing occupation, interests, creator links, and inferred profile data with the local Muse dashboard before completing onboarding.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill expands from local install/onboarding into collecting a Telegram bot token and launching a bot process, which introduces secret handling and an externally reachable integration unrelated to the core install path. This increases attack surface and can expose control of the user's bot if the token is mishandled in chat logs, shell history, or process environments.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The onboarding flow directs the agent to collect platform links, analyze a user's external content, derive a profile/DNA, and sync it to a service without first warning the user or obtaining explicit consent. This creates a privacy risk because personal profile data and inferred attributes are processed and persisted without transparency or minimization.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The Telegram setup asks the user to provide a bot token with no warning that it is a sensitive credential or how it will be used and stored. Users may disclose a powerful secret in plain chat, enabling unauthorized bot control if the conversation, logs, or downstream systems are exposed.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill explicitly instructs the agent to solicit a Telegram bot token and interpolate it into a shell command flow, exposing the secret in plaintext conversation and likely in process environment state. This is dangerous because chat transcripts, telemetry, or local system inspection can leak the token, giving an attacker control over the Telegram bot.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill collects occupation, interests, and platform links, then persists both user-supplied and inferred 'DNA' profile data to the local service without an explicit consent or minimization step. Even if stored locally, this is sensitive profiling data that could be exposed through the app, logs, backups, or other local compromise.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal