Security audit

password-manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a local password manager, but it stores, backs up, and exports passwords in plaintext with weak safeguards for such sensitive data.

Review carefully before installing. There is no evidence of hidden network exfiltration or destructive malware, but do not use this for real passwords unless you accept plaintext local files and plaintext backups/exports. Prefer a vetted encrypted password manager, or require encryption at rest, restrictive file permissions, narrow activation rules, and explicit confirmations before viewing, exporting, deleting, importing, or backing up secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill describes local file read/write behavior for highly sensitive credential data, but no explicit permissions are declared. In a password-manager context, undeclared filesystem access is dangerous because it can bypass user expectations and platform consent controls while handling secrets, backups, imports, and exports. The risk is amplified by the documented plaintext/local JSON storage of passwords.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: This is a real security issue in the context of a password-manager skill because the code labels the passphrase generator as "more secure" while generating output from a small fixed word list and Python's non-cryptographic random module. That combination makes the search space far smaller and potentially predictable, which can mislead users into trusting weak credentials for protecting sensitive accounts.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: README 中的触发示例如“帮我保存一个密码”“导出我的密码”等表述较自然、宽泛，容易与普通对话重叠，导致技能在用户未明确希望调用密码管理功能时被激活。由于该技能处理高敏感度凭据数据，误触发可能造成密码记录、展示、导出或删除等高风险操作被意外执行。

Vague Triggers

Medium

Confidence: 88% confidence
Finding: 文档中列出的多个调用短语缺少作用范围、前置条件和安全约束，激活条件不清晰，可能让宿主代理仅凭模糊自然语言就进入密码管理流程。结合该技能的能力包含保存、查找、修改、删除、导入导出密码，这种不明确的触发设计会放大误调用和越权式敏感数据操作的风险。

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger terms are broad and overlap with ordinary conversation about passwords, accounts, or saving credentials. For a skill that can read, display, store, export, or delete secrets, accidental invocation can expose sensitive data on screen, cause unintended persistence of credentials, or prompt destructive actions in the wrong context.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The manager persists and backs up full credential records, including raw passwords, directly to JSON files on disk without encryption, access-control hardening, or any warning to the user. In a password-manager context this is especially dangerous because compromise of the local account, backups, shared filesystem access, malware, or accidental file exposure immediately reveals all stored secrets in plaintext.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The export functions write usernames and passwords to arbitrary JSON/CSV paths in plaintext, which can leak credentials through insecure directories, sync folders, shared locations, backups, or accidental forwarding. CSV export is particularly risky because it encourages easy opening, copying, and redistribution of complete credential sets outside any protected storage model.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal