Back to skill

Security audit

cesto-toolkit

Security checks across malware telemetry and agentic risk

Overview

The skill appears built for Cesto, but its login/session handling is under-scoped and less transparent than its documentation claims.

Review before installing if you are uncomfortable with a third-party skill storing Cesto session tokens locally or opening a browser login flow. Use it only for intentional Cesto tasks, avoid pasting login links into shared logs, and confirm carefully before any public basket is published or authenticated request is sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif system == "Linux":
            subprocess.Popen(["xdg-open", url], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
        elif system == "Windows":
            subprocess.Popen(["start", url], shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
        else:
            return False
        return True
Confidence
98% confidence
Finding
subprocess.Popen(["start", url], shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes shell scripts, performs network calls, and stores authentication state locally, yet it declares no permissions. This creates a transparency and least-privilege problem: users and the platform cannot accurately assess or constrain what the skill can do, increasing the risk of unintended file writes, network access, or command execution under the guise of a simple API toolkit.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The description presents the skill as a Cesto interaction toolkit, but the implementation also performs local session management, browser launching, token refresh, and generic authenticated request forwarding. That hidden operational scope is security-relevant because it expands trust boundaries from simple data retrieval into credential handling and local persistence, which can surprise users and reviewers and mask higher-risk behavior.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module docstring claims the agent never sees session IDs or tokens, but in the fallback path the script prints loginUrl containing the session query parameter. That discrepancy can cause operators or downstream tooling to expose or log a bearer-like authentication session identifier under the false assumption that it is non-sensitive.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are very broad, including generic terms like 'basket' and investment-adjacent language, which can cause unintended invocation in unrelated contexts. In a skill with shell, network, auth, and browser-opening capabilities, accidental activation materially increases exposure by prompting unnecessary external calls or authentication workflows for benign user queries.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:478