Signal messaging for standalone bots/accounts

Security checks across malware telemetry and agentic risk

Overview

This Signal bridge is mostly disclosed, but it lets remote Signal messages wake and steer an agent while the advertised permission and triage controls are largely advisory rather than enforced.

Install only for a dedicated Signal bot/account and treat every incoming Signal message as untrusted input. Before enabling cron or the wake hook, protect the signal-cli data directory, wake token, permissions file, and conversation logs; require local confirmation for commands, installs, file/config changes, and permission changes requested over Signal; and define retention or disable plaintext logging if conversations may contain sensitive data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill clearly instructs the user to run shell commands, install software, configure cron jobs, and invoke local scripts, yet it declares no permissions. This creates a transparency and governance problem: an agent or operator may treat the skill as lower-risk than it really is, despite it enabling command execution and persistent system changes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The document claims security-first role-based permissions and contact triage, but the finding indicates these controls are not actually enforced in code. In a messaging integration, overstating enforcement is dangerous because operators may trust the skill to block untrusted contacts from driving agent behavior when, in practice, those protections may be only advisory or logging-only.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill tells users to configure a wake-hook secret token but does not instruct them to protect, rotate, or avoid exposing it in scripts and configs. If that token is leaked, an attacker could trigger unauthorized wake events and potentially cause repeated agent activation or abuse of any downstream automation tied to the hook.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill advertises auto-logging of all sent and received messages to conversation files without warning about sensitive content retention, local access control, or deletion policies. Messaging logs can contain personal data, credentials, attachments, and operational instructions, so silent retention increases privacy and breach impact if the host is compromised or shared.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The troubleshooting guide instructs users to manually delete Signal CLI lock files with `rm ~/.local/share/signal-cli/data/*.lock` but does not warn that lock files may protect against concurrent access and state corruption. In an agent or automation context, operators may copy this blindly, leading to unsafe recovery steps, inconsistent state, or corruption if another process is still active.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script configures the wake endpoint with plain HTTP while also sending a bearer token for authentication. If the service is ever accessed over a non-loopback interface, through port forwarding, a proxy, or container/network misconfiguration, the token can be intercepted or replayed by a local network adversary or adjacent process, enabling unauthorized wake requests.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script persists full outgoing message contents to a local history file in plaintext under the user's home directory. Because this skill handles Signal conversations, those messages may contain sensitive personal, operational, or authentication-related data, and local plaintext retention expands exposure beyond Signal's encrypted transport if the host, backups, or local account are compromised.

Ssd 3

Medium

Confidence: 97% confidence
Finding: Storing all outgoing Signal message content in plain-language history files undermines the privacy expectations of an encrypted messaging integration. In this skill context, centralized agent-driven messaging can aggregate highly sensitive conversations, so plaintext logs create a secondary data store that is easier to read, exfiltrate, or accidentally disclose than the original Signal channel.

External Transmission

Medium

Category: Data Exfiltration
Content: ffmpeg -i /path/to/attachment.m4a -ar 16000 -ac 1 -c:a pcm_s16le /tmp/audio.wav -y # Transcribe (whisper.cpp server example) curl -s http://127.0.0.1:8080/inference -F "file=@/tmp/audio.wav" -F "language=en" # Or use OpenAI Whisper, faster-whisper, etc. ```
Confidence: 71% confidence
Finding: curl -s http://127.0.0.1:8080/inference -F "file=@/tmp/audio.wav" -F "language=en" # Or use OpenAI Whisper, faster-whisper, etc. ``` ### Sending voice replies ```bash # 1. Generate speech (example

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal