Back to skill

Security audit

Otc Confirmation

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate confirmation-code skill, but its security guarantees are overstated and the documented workflow can expose approval codes in chat.

Review before installing for high-impact workflows. Use a dedicated SMTP app password, avoid the custom backend unless the script is trusted and protected, do not rely on the zero-knowledge claim if users paste codes into chat, clear stale state files or add expiry, and add a separate operation-bound policy wrapper for truly dangerous actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Tainted flow: 'code' from os.environ.get (line 336, credential/environment) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
def _write_state_file(self, code: str, token: str):
        """Write code to state file for shell script compatibility."""
        state_path = Path(self.config.state_dir) / "pending"
        state_path.write_text(code)
        os.chmod(state_path, 0o600)
    
    def _cleanup_state_file(self, token: str):
Confidence
90% confidence
Finding
state_path.write_text(code)

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented behavior is internally inconsistent: it promises that the code never appears in stdout, logs, or chat, yet the analyzer detected example behavior that prints the confirmation code/token to stdout, along with broader enforcement and logging features outside the declared scope. For a confirmation mechanism, any example or implementation path that exposes the secret or expands capability beyond the description undermines the trust boundary and can lead to code leakage or unsafe adoption.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Allowing arbitrary external backends and especially a custom executable script introduces a code-execution and exfiltration surface beyond the manifest-declared SMTP/curl path. A malicious or misconfigured backend could leak the OTC, SMTP credentials, operation details, or execute unintended commands, defeating the security guarantees of the confirmation flow.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document makes contradictory security claims: it says the code is deleted after verification success or consumption, but the lifecycle explicitly states the state file is preserved on mismatch so the user can retry. In a security control, inaccurate documentation is dangerous because implementers and operators may assume stronger single-use semantics than actually exist, which can weaken incident response, rate-limit assumptions, and replay/guessing threat modeling.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document says rules are evaluated top-down with 'first match wins', but then separately states DENY rules have highest priority regardless of order. This ambiguity can lead implementers to build conflicting evaluators where an ALLOW rule placed earlier unintentionally bypasses a later DENY, weakening enforcement and enabling unauthorized operations.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says the OTC code should never appear in stdout, logs, or chat and should flow through a secure state file/private channel, but the example collects the code via direct user input. In an agent/chat setting, that can expose the confirmation secret in transcripts, model context, logs, or downstream tooling, undermining the one-time confirmation control.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The example invokes shell scripts through subprocess for generating, sending, and verifying OTC codes. Even if arguments are not obviously attacker-controlled here, documenting shell-script execution as part of the confirmation path expands the trusted computing base and encourages brittle integrations where environment, path hijacking, or unsafe script implementations can introduce command-execution risk.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file defines a broad audit taxonomy covering file, command, network, database, infrastructure, and communication actions, which materially exceeds the stated scope of a one-time confirmation mechanism. In an OTC skill, adding generalized observability and action-tracking logic increases data collection and operational reach, creating opportunities for privacy leakage, policy bypass through scope creep, and unintended coupling with unrelated sensitive operations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The audit schema explicitly logs detailed command strings, parameters, targets, user identifiers, channel, and conversation metadata, which conflicts with the skill description promising the code never appears in stdout, logs, or chat and implies a privacy-sensitive logging surface around sensitive operations. Even with sanitization, command and context logging is incomplete and regex-based redaction is brittle, so secrets, personal data, or security-sensitive operational details may still be persisted to local logs.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The retention, querying, reporting, cleanup, and alerting sections introduce a full observability capability unrelated to the core task of generating and verifying one-time confirmation codes. In the context of a narrowly scoped security skill, this unnecessary expansion increases stored sensitive metadata, widens the attack surface, and normalizes cross-session monitoring functionality that may not be expected by users of an OTC mechanism.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements a broad risk-detection, behavioral monitoring, and prompt-injection scanning engine, which materially exceeds the declared OTC confirmation purpose. This scope expansion increases the skill's authority and data processing surface, creating opportunities for unintended surveillance, policy bypass through hidden coupling, or repurposing into a generalized monitoring component without clear user consent or manifest alignment.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Prompt-injection detection is unrelated to the stated OTC confirmation mechanism and introduces additional content inspection logic that can affect control flow and trust decisions. In a mislabeled skill, this is dangerous because it hides broader security mediation capabilities under a narrow consent model, making review and authorization less reliable.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a full audit logging subsystem rather than the declared one-time confirmation mechanism. In a security-sensitive skill pack, this scope mismatch is dangerous because it silently adds data collection, persistence, and operational capabilities that users and reviewers would not expect from an OTC-only component.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Querying, summarization, compression, and retention management greatly expand the module's capabilities beyond confirmation handling. This increases attack surface and creates opportunities for unauthorized access to historical operational metadata, especially in an agent environment where logs may contain sensitive commands, targets, user IDs, and session IDs.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module documentation explicitly advertises structured audit logging for all agent operations, which contradicts the metadata claiming an OTC-focused security mechanism. Misleading packaging is dangerous because it can bypass reviewer expectations and cause operators to deploy broader monitoring and persistence behavior than intended.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The example code prints the confirmation code to stdout despite the skill claiming the code never appears in stdout, logs, or chat. In agent environments, stdout is commonly captured in logs, traces, notebooks, CI output, or chat transcripts, which can leak the one-time code to unintended parties and defeat the confirmation control.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module-level documentation claims plaintext codes are never stored, but the implementation writes the code directly to a state file. This mismatch is dangerous because operators and integrators may rely on the documented security properties when using the skill for sensitive operations, resulting in a false sense of protection and insecure deployment decisions.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The usage text suggests that sensitive operations become safe via an OTC confirmation flow, but the code only emits a CONFIRM decision and performs no code generation, delivery, binding, or verification. In an agent system, this can lead developers to wire sensitive actions to a non-existent or incomplete confirmation control, enabling execution without the intended second factor.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
This is a true security issue in the documentation because it directly contradicts the skill's core claim that OTC codes never appear in chat or logs. Showing concrete codes and instructing the user to reply with the raw code normalizes an unsafe flow, increasing the chance that implementers expose secrets in chat transcripts, examples, copied workflows, or logging paths.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script supports a `custom` backend that executes an arbitrary path from `OTC_CUSTOM_EMAIL_SCRIPT`, which expands the skill from a narrowly scoped OTC mailer into a general code-execution hook. In the context of a security confirmation mechanism, this is dangerous because the OTC code and related metadata are passed to that script, so any caller who can influence environment variables or deployment config can route sensitive confirmation data to untrusted code or perform unintended actions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The template explicitly tells the user to reply with the one-time confirmation code in the original chat, which directly contradicts the skill’s stated security property that the code never appears in chat. If followed, the code is exposed in the conversation transcript and to any systems, tools, logs, or reviewers with chat access, weakening the out-of-band confirmation mechanism and enabling misuse or replay within the active session.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The email content implies a chat-based return path for the secret, undermining the design claim that the confirmation code remains confined to a secure state/private channel flow. This mismatch can cause operators and users to trust a control that is not actually out-of-band, reducing protection for dangerous or irreversible operations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README defines OTC trigger categories at a high level but leaves activation boundaries and exclusions ambiguous, which can cause inconsistent enforcement by agents or integrators. In a security control whose purpose is to gate sensitive actions, vague policy language can become a bypass path: dangerous operations may be misclassified as non-qualifying and executed without confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown describes logging, alerting, command scanning, path inspection, and behavioral history tracking of potentially sensitive operations, including references to secrets and credential files, without any visible user-facing disclosure or minimization guidance. That creates a privacy and data-handling risk because sensitive command strings, file paths, and environment-related indicators may be collected or retained beyond what users expect from an OTC confirmation skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The logger persists commands, agent identifiers, session IDs, user IDs, and related metadata to disk without any user-facing notice or consent mechanism. Even with regex sanitization, sensitive operational details can remain in logs, creating privacy, compliance, and local data-exposure risks if the filesystem is accessed by other users or processes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
ai-devops-agent-security-pack/01_agent_security_architecture.md:24

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
ai-devops-agent-security-pack/examples/devops_workflow.md:163