Back to skill

Security audit

МойСклад

Security checks across malware telemetry and agentic risk

Overview

This MoySklad ERP skill is mostly coherent, but it has an unsafe raw API helper that can leak credentials and modify live business records without safeguards.

Review carefully before installing. Use a least-privilege MoySklad token instead of login/password, avoid the raw api command with full URLs, and require human review before POST, PUT, PATCH, or DELETE operations against production ERP data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The generic `api` command exposes arbitrary MoySklad REST operations, which bypasses the narrower workflows described by the skill metadata. In an agent setting, this materially expands capability scope from curated read/write actions to any endpoint the credentials can access, enabling unintended data modification, deletion, or access to sensitive business records.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The `api()` helper accepts any absolute URL via `path.startsWith("http") ? path : ...`, so the Authorization header containing MoySklad credentials or token will be sent to attacker-controlled hosts. This is a classic credential exfiltration/SSRF-style issue because untrusted input can redirect authenticated requests away from the intended API origin.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly documents create, update, and delete operations, including raw API calls, but provides no warning that these actions can permanently modify or remove ERP records. In an enterprise system handling products, orders, counterparties, and invoices, omission of destructive-action warnings increases the chance of accidental data loss or unauthorized state changes by downstream agents or users.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples include write operations that create and modify real ERP objects such as counterparties, orders, invoices, stock entries, and product prices, but they do not clearly warn that these calls affect live business data. In an agent-skill context, users may copy or execute examples directly, causing unintended changes to production inventory, finance, or customer records.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The direct `api` command allows arbitrary HTTP methods and bodies, including destructive writes such as DELETE or broad POST/PATCH operations, without any confirmation or safety interlock. In an agent workflow, a mistaken prompt or adversarial instruction could trigger irreversible changes to ERP data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/moysklad.mjs:14