Back to skill

Security audit

meego-skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Meego integration, but its instructions repeatedly ask users to paste OAuth credentials into chat and store them for broad project read/write access.

Review before installing. Do not paste credentials.json, access tokens, or refresh tokens into chat; provision them directly on the target host or through a secret manager. Use least-privilege Feishu credentials, rotate any tokens already shared, and require explicit confirmation before comments, field updates, status transitions, or work-item creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs users to paste the full OAuth credentials.json into chat so the AI assistant can install it on the server. This creates a direct secret-exfiltration path through natural language, exposing access_token and refresh_token to the model, chat logs, operators, and any downstream integrations that retain conversation content.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document claims credentials are managed by OAuth/mcporter, which suggests a safer delegated flow, but later instructs manual disclosure of the credential file to the AI for server-side placement. That inconsistency encourages users to bypass the intended trust boundary and normal secret-handling controls, increasing the chance of credential leakage and misuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The troubleshooting section repeatedly normalizes resending refreshed credentials to the AI assistant whenever auth breaks or tokens expire. Repetition makes the insecure behavior operationally routine, increasing the likelihood that valid tokens are repeatedly disclosed and available for account or project access.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs users to disclose full OAuth credentials without any clear warning that these are highly sensitive bearer/refresh secrets. Missing secrecy guidance materially increases the chance users will expose reusable tokens that can grant ongoing access to Meego/Feishu project data and actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The troubleshooting flow repeats token-export and sharing instructions but omits any warning about disclosure risk, retention, or replayability of those secrets. In practice, users are being trained to leak secrets during normal support operations, which is especially dangerous because refreshed tokens are likely valid and usable immediately.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file documents write-capable Meego operations such as adding comments, updating fields, and creating work items, but it does not clearly warn that these actions modify live project data or require explicit user confirmation before use. In an agent skill context, this increases the risk of unintended or prompt-induced state changes to project management systems, especially because the same document mixes read and write operations in a how-to style that may encourage automatic execution.

Ssd 3

High
Confidence
99% confidence
Finding
By telling users to paste the full credentials JSON into chat, the skill creates a natural-language data leakage channel for OAuth secrets. Chat is not an appropriate secret transport because the content may be stored, logged, inspected, or reused outside the user's intended boundary.

Ssd 3

High
Confidence
99% confidence
Finding
The repeated guidance to export credentials and send them to the AI reinforces insecure disclosure as part of routine maintenance, widening the leakage surface over time. Because refresh workflows often mint fresh valid tokens, exploitation could enable persistent unauthorized reads, updates, comments, or workflow actions in project systems.

Credential Access

High
Category
Privilege Escalation
Content
把完整 JSON 内容发给 AI助手(粘贴到聊天里),AI会自动写入服务器的 `/root/.mcporter/credentials.json`。

> **服务器credentials路径:** `/root/.mcporter/credentials.json`(Linux服务器)
> **本地 credentials 路径:** `~/.mcporter/credentials.json`

---
Confidence
95% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
把完整 JSON 内容发给 AI助手(粘贴到聊天里),AI会自动写入服务器的 `/root/.mcporter/credentials.json`。

> **服务器credentials路径:** `/root/.mcporter/credentials.json`(Linux服务器)
> **本地 credentials 路径:** `~/.mcporter/credentials.json`

---
Confidence
95% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
| 环境 | 文件路径 | 用途 |
|------|---------|------|
| 服务器(Linux) | `/root/.mcporter/credentials.json` | OAuth token(AI助手写入) |
| 本地电脑 | `~/.mcporter/credentials.json` | OAuth token(auth 命令自动写入) |

> **配置格式不是** `app_id + app_secret` JSON,而是 OAuth credentials JSON(由飞书授权流程自动生成)。
Confidence
92% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
| 环境 | 文件路径 | 用途 |
|------|---------|------|
| 服务器(Linux) | `/root/.mcporter/credentials.json` | OAuth token(AI助手写入) |
| 本地电脑 | `~/.mcporter/credentials.json` | OAuth token(auth 命令自动写入) |

> **配置格式不是** `app_id + app_secret` JSON,而是 OAuth credentials JSON(由飞书授权流程自动生成)。
Confidence
92% confidence
Finding
credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.