kitchen-control

Security checks across malware telemetry and agentic risk

Overview

The skill matches its freezer-inventory purpose, but it can change business records from WhatsApp messages using an admin database login without enforcing the claimed authorization.

Review before installing in a real store. Deploy only behind an authenticated WhatsApp webhook, replace the admin PocketBase login with a least-privilege service account, add sender allowlists or role checks, validate and confirm state-changing commands, and document what business data is stored in PocketBase or sent to external AI services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly states it sends inventory, sales, pricing, and forecasting-related data to an external AI API, but the description does not warn users that operational business data may leave the local environment. This creates a transparency and privacy risk because operators may unknowingly transmit sensitive commercial data, potentially violating internal policy, vendor agreements, or data-handling expectations.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill accepts chat commands and directly creates or updates inventory records without any authorization, origin validation, or confirmation step. In this context, that means any caller able to reach the skill may be able to manipulate stock data, create arbitrary items, or poison business records, which can disrupt operations and conceal fraud.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code reads an administrative credential from the environment and authenticates as the PocketBase admin account, then reuses that elevated context in a message handler. Because untrusted user input later drives database operations, any exposed command path effectively runs with admin privileges, greatly increasing the blast radius of abuse and turning ordinary input handling flaws into full database compromise risks.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal