Back to skill

Security audit

Solid Agent Storage

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Solid storage purpose, but it needs review because crafted agent names can write or delete outside the stated credential folder and provisioned accounts use weak generated passwords.

Review before installing. Use only trusted Solid servers, prefer HTTPS except local development, choose simple safe agent names until path validation is fixed, keep INTERITION_PASSPHRASE strong and private, treat printed Bearer tokens as secrets, and avoid storing sensitive long-term data unless you are comfortable with the Pod and ACL settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented deprovision command permanently removes an agent's Pod, credentials, and account state, but the documentation shows no interactive confirmation, dry-run mode, or strong warning before destructive execution. In an agentic or automated environment, this increases the risk of accidental irreversible data loss from misunderstanding, prompt injection, or misuse of the command.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The provisioning flow generates a password and client secret, then returns them in a plain object to any caller without any built-in redaction, secure storage, or explicit secret-handling guardrails. In agent frameworks, returned values are often logged, serialized, or exposed to downstream components, which increases the likelihood of accidental credential disclosure and unauthorized access to the agent's Solid Pod and identity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The functions send passwords, client secrets, and session cookies to arbitrary serverUrl values without enforcing HTTPS or validating trust boundaries. If a caller passes an insecure or attacker-controlled URL, credentials and authenticated session material may be exposed in transit or sent directly to a malicious endpoint, enabling account takeover or secret theft.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The type definition shows the credential store is designed to accept and persist highly sensitive fields including `secret` and optional `password`, which strongly suggests plaintext handling at the API boundary without any visible constraints, redaction, or safer credential abstraction. In a CLI skill that provides persistent identity and Pod access, storing or exposing these values insecurely could enable account takeover, unauthorized Pod access, and leakage of long-lived credentials from disk, logs, or downstream consumers.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This CLI provisions an agent and then persists highly sensitive material including client credentials, email, and password via saveCredentials(). Storing secrets is sometimes necessary for functionality, but doing so without visible consent, disclosure, or clear handling guarantees in this code increases the risk of inadvertent credential exposure through local compromise, backup leakage, or misuse by downstream code.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This reference documentation includes destructive operations (PUT overwrite, DELETE, PATCH, ACL rewrites, and public-read grants) but does not consistently warn that these actions can irreversibly delete data, lock out the owner, or expose private resources. In an agent skill context, users or downstream agents may copy these commands mechanically, so missing safety guidance materially increases the chance of accidental data loss or overexposure.

VirusTotal

44/44 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.