ClawHub
Back to skill

Security audit

Vikunja-complete

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Vikunja command-line integration with sensitive admin features that should be used carefully, but the artifacts do not show hidden or malicious behavior.

Install only if you intend to let an agent operate your Vikunja account. Use a least-privilege VIKUNJA_TOKEN, avoid shared logs when creating API tokens, create webhooks only to trusted endpoints, review attachment file paths before upload or download, and run the smoke test only against a test workspace because it mutates live Vikunja data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill exposes shell-capable commands and networked side effects but does not declare permissions or otherwise signal that it can execute shell operations. This weakens security review and user consent because the skill can perform real system and API actions without explicit capability disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description frames the skill as straightforward task/project management, but the documented behavior includes sensitive and higher-risk capabilities such as API token management, webhook creation, attachment file handling, and a smoke test that mutates live data. This mismatch can mislead operators into granting trust or using the skill in contexts where those additional capabilities are inappropriate.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as task/project management, but it also manages API tokens and returns newly created token secrets in output. That materially expands capability into credential issuance and secret handling, which is security-sensitive and not clearly justified by the stated skill scope.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill can create outbound webhooks to arbitrary target URLs, which is beyond ordinary task management and enables data egress or interaction with attacker-controlled endpoints. This hidden expansion of scope increases risk because users may not expect the skill to configure external callbacks.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill can create API tokens with arbitrary permissions, which is a credential-minting capability that can grant durable access beyond the current session. In a task-management skill, this is especially dangerous because it can be abused to create long-lived, high-privilege credentials for persistence or lateral misuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation advertises delete and other destructive commands for comments, attachments, filters, webhooks, and tokens without warning about irreversible changes or operational impact. In practice this increases the chance of accidental data loss, broken automation, or revocation of access when users follow examples or automate against them.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup requires an API token and demonstrates webhook target URLs and file transfer operations, but provides no guidance on secret handling, scope limitation, or privacy implications. That omission can lead to token leakage, overprivileged credentials, or unsafe webhook exposure to unintended hosts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The attachment download command writes server-provided content to an arbitrary output path supplied by the caller without additional guardrails or disclosure. In an agent setting, this can overwrite sensitive local files or place untrusted content in dangerous locations if the path is influenced by adversarial input.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The attachment upload command sends contents of an arbitrary local file to the remote Vikunja server. In an agent context, that creates a data-exfiltration primitive if an attacker can influence the file path or trick the agent into uploading sensitive local files.

Missing User Warnings

High
Confidence
98% confidence
Finding
The token creation path returns the newly created secret token value directly in command output without warning or redaction. That makes accidental logging, prompt leakage, or downstream disclosure of privileged credentials far more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.