Back to skill

Security audit

trailsnap-cli

Security checks across malware telemetry and agentic risk

Overview

This TrailSnap photo-library CLI mostly matches its purpose, but it advertises a one-step photo deletion command without confirmation and stores an API token locally.

Install only if you trust this skill with your TrailSnap account and private photo library. Use a least-privileged API token, protect the local .env file, and require explicit human confirmation before any photo deletion command is allowed to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata says this CLI is for querying/viewing photo information, but the code registers a destructive `delete` subcommand. This mismatch is dangerous because an agent or user may invoke the skill under the assumption it is read-only, enabling unexpected deletion of photos and violating least surprise and least privilege.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
`execute_delete` issues a real HTTP DELETE request to `/photos/{photo_id}` even though the skill is presented as a query tool. In an agent setting, this creates a serious safety risk because tooling selection and user trust may be based on the skill description, causing destructive actions to be taken without informed consent.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The example documentation exposes a destructive `photos delete` command even though the skill is described as a read/query tool for viewing photos and related metadata. This mismatch can cause an agent or user to invoke deletion in a context where only non-destructive access was expected, increasing the risk of accidental data loss.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata describes this as a read/query tool, but the reference documents a destructive `photos delete` command. This capability mismatch is dangerous because an orchestrating agent or user may invoke the skill under the assumption it is read-only, leading to unintended data deletion and a breakdown of least-privilege expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The deletion path performs an irreversible-looking destructive action immediately, with no confirmation prompt, dry-run, or warning. This increases the likelihood of accidental or prompt-induced data loss, especially when the CLI may be operated by an automated agent rather than a human carefully reviewing the command.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Showing a destructive delete command without any warning, confirmation, or operational context normalizes unsafe usage and makes accidental invocation more likely. In an agent skill, examples are often copied directly, so undocumented destructive actions can lead to unintended permanent deletion of user photos.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The manifest explicitly exposes a destructive `photos delete` operation but provides no warning, confirmation requirement, or guidance to ensure the user intended a permanent deletion. In an agent setting, this increases the risk of accidental or over-broad data loss if the model invokes the command based on an ambiguous prompt.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The manifest allows direct configuration of an API token and URL but gives no privacy or credential-handling guidance, such as avoiding logging, echoing, or exposing tokens in examples and transcripts. In an LLM-agent environment, secrets passed as tool arguments may be surfaced in logs, debugging output, or conversation history, creating credential leakage risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.