Back to skill

Security audit

Multi User Privacy

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad multi-user admin system with real privacy goals, but it hard-codes a specific administrator account and exposes powerful unauthenticated admin controls.

Install only after replacing all hard-coded admin and recipient IDs with your own, adding authentication and localhost-only binding to the web admin server, reviewing post-install changes, and rotating or removing any real-looking secrets in the docs. Treat this as an administrative control-plane skill, not just a privacy filter.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (68)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill claims strong per-user memory isolation, but the documented implementation loads a shared daily memory file for every user. That creates a direct cross-user data exposure path: if any user's content or derived summaries are written into the daily file, other users can read information outside their own isolated scope, defeating the privacy model.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation markets 'physical isolation' and says normal users cannot access MEMORY.md, but the broader design still gives all users access to shared daily memory. Even if MEMORY.md itself is protected, the shared file becomes a side channel that can leak sensitive context and makes the isolation claims materially misleading.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document exposes specific user identifiers and role mappings while simultaneously describing a privacy-preserving multi-user system. Even if these are internal IDs, publishing them materially lowers the effort needed for user enumeration, impersonation attempts, targeted phishing, or cross-reference with logs and APIs.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The audit log example directly reveals another account's ID in a section that states such disclosure must not occur. This demonstrates either unsafe logging practice or unsafe documentation handling, both of which can leak sensitive cross-user metadata and undermine the stated isolation guarantees.

Intent-Code Divergence

High
Confidence
100% confidence
Finding
A full API key is embedded in the API documentation in plaintext. If valid, it can enable unauthorized API use, fraudulent content insertion, abuse of backend resources, and persistence of compromise until the secret is rotated.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The Feishu configuration example includes a plaintext app secret, which is sensitive authentication material. Exposure of application credentials can allow unauthorized messaging, API access, impersonation of the integration, and compromise of alerting or administrative workflows.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
This module is presented as a privacy guard, but it also performs session routing and sub-agent creation through `gatewayHook.handleMessage`. That is a significant scope expansion: a component trusted to enforce isolation is also given control over session orchestration, increasing the chance that privacy checks are bypassed, misapplied, or coupled to unsafe routing behavior.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
Auto-creating and managing sub-agent sessions is not necessary for a privacy-checking utility and violates least privilege. Because `handleUserMessage`, `getUserSessionInfo`, `listAllUserSessions`, and `processPendingSubAgents` expose operational control over user sessions, a bug or misuse in this module could lead to cross-user session linkage, unintended agent creation, or unauthorized access to conversation state.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The exported `listAllUserSessions()` function enables enumeration of all user sessions, which is excessive for a privacy tool and creates an information disclosure risk. In a multi-user environment, session metadata alone can reveal user presence, identifiers, routing state, and operational patterns that should not be broadly exposed.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
These examples explicitly coach the assistant to conceal the existence of other users and administrative relationships rather than truthfully refusing to disclose private information. That creates deceptive behavior, undermines user trust, and can be combined with later exception logic to hide unauthorized data handling or special access paths.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The 'only you and TA exist' rule conflicts with a later admin exception allowing user-list access and conversation auditing, meaning the prompt directs the assistant to maintain a false worldview while retaining multi-user capabilities. This mismatch is dangerous because it normalizes concealment and can mislead users about how their data is handled or who can access it.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The quota check builds incorrect attribute names for most quota types, so valid requests may be denied or quota enforcement may behave inconsistently. In a quota-management component, broken enforcement is security-relevant because it can undermine availability controls, policy enforcement, and downstream authorization decisions that depend on accurate quota state.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
Expired borrow records are only marked expired, but the borrowed quota remains credited to the user, allowing quota increases to persist beyond their intended lifetime. An attacker or abusive user could retain elevated quota indefinitely after a temporary grant expires, defeating resource controls and potentially causing storage, API, or messaging abuse.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The script claims to wrap file system access globally to prevent bypass, but it only hooks a few synchronous APIs and leaves many others untouched, such as async fs methods, streams, rename/copy operations, and direct use of fs.promises. In a security control, this mismatch is dangerous because callers may assume enforcement is comprehensive while an attacker or another component can access sensitive files through unwrapped paths.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The read hook treats both MEMORY.md and /memory/ as sensitive, but the write hook only checks /memory/ and omits MEMORY.md. That inconsistency creates a direct policy bypass where a sensitive memory file may be writable even though the code and comments suggest it is protected.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code claims to perform privacy-preserving rewriting, but explicitly exempts admin-role users and returns the original unredacted message unchanged for them. In a tool whose stated purpose is to rewrite blocked content to pass checks, this role-based bypass undermines privacy controls and creates a direct path for sensitive content disclosure.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The script advertises automatic privacy-hook injection, but it only prepends helper definitions and exports a global object; it does not insert actual invocations into the request/response flow. This creates a false sense of protection, causing operators to believe privacy checks are enforced when in practice they will not run unless developers manually add call sites later.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file exposes a fully functional license generator both as a CLI command and as an exported API, while using a hardcoded signing secret embedded in the same source. That means anyone with access to this script can mint valid pro/enterprise licenses, bypassing licensing and feature restrictions entirely; in this skill context, the license gates control privacy and multi-user protections, so bypassing them can also disable intended security boundaries and operational safeguards.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module is documented and presented as a performance/cache utility, but it also reads and writes a persistent user behavior database under the user's home directory. This mismatch is security-relevant because consumers may import or enable the module expecting only local caching, while it silently handles behavioral data persistence, reducing transparency and informed consent around sensitive data processing.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file advertises privacy protection, but explicitly exempts admin users from most checks and all sanitization. In a multi-user privacy guard, broad role-based bypasses can leak other users' identifiers and names whenever admin status is assigned, undermining the core security boundary and creating a dangerous false sense of protection.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The guest template is defined as read-only and highly restricted, but applyTemplateToSession merges user-supplied sessionConfig over the template, allowing callers to override guest permissions and quotas. If untrusted or insufficiently authorized code can supply sessionConfig, a guest session could be upgraded to writable or more privileged behavior, undermining the template’s security boundary.

Intent-Code Divergence

Low
Confidence
72% confidence
Finding
The code claims built-in templates are non-modifiable, but _ensureBuiltInTemplates merges existing on-disk values into built-ins on startup whenever existing.isBuiltIn is true. That means any prior tampering of the persisted config can survive reloads and continue altering privileged built-in templates such as admin, weakening trust in supposedly fixed security defaults.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The summary explicitly states the admin web interface defaults to no authentication while also documenting administrative endpoints for reading data and creating, deleting, and updating users/quotas. In the context of a web-admin skill tied to shared multi-user data, that means anyone who can reach the service may be able to view sensitive session data and perform privileged actions, making this a real security issue rather than a documentation-only concern.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The server explicitly enables cross-origin requests from any origin and exposes administrative endpoints with no authentication or authorization checks. Any website reachable by a browser on the same machine can issue requests to create users, delete users, or modify quota state, leading to unauthorized administration of persisted local data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The changelog explicitly documents a destructive `clear` command for the session database but does not warn that running it may delete session history/state and disrupt privacy controls or auditability. In a multi-user privacy skill, encouraging operators to clear session data as routine troubleshooting can lead to accidental data loss, loss of forensic records, and temporary weakening of isolation tracking if used improperly.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command, suspicious.exposed_secret_literal

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
docs/VIP-AGENT-SETUP.md:235

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
docs/PROJECT_SUMMARY.md:810