Back to skill

Security audit

zentao

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward ZenTao CLI helper, with the main caution that login credentials are entered on the command line and saved locally.

Install this only if you trust the zentao CLI and the ZenTao server you connect to. Avoid putting long-lived or highly privileged passwords directly in commands when possible, and check or remove ~/.config/zentao/config.toml if you no longer want credentials stored locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to authenticate with a plaintext password on the command line and states that credentials are written to a persistent local config file, but it does not give an explicit security warning or describe how the secrets are protected. This is dangerous because command-line arguments may be exposed via shell history or process inspection, and persisted credentials in a user config directory can be recovered by other local processes or users if file permissions or storage protections are weak.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.