Company Api

Security checks across malware telemetry and agentic risk

Overview

This skill is an internal API helper, but it can change company records and stores sensitive login material locally, so it should be reviewed before use.

Install only if you trust the configured API endpoint and are comfortable giving this skill your internal platform API keys, login password, and authority to create company records. Prefer a least-privilege or test account, verify the base URL carefully, keep the generated config and token files out of shared or synced folders, and treat project-add, task-add, and product-add as production-changing commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill exposes shell-based operational capability but does not declare permissions, which weakens transparency and informed consent for users and reviewers. In this case, the shell entrypoint is used to collect credentials, manage tokens, and invoke internal API actions, so the undeclared capability increases the risk of unexpected sensitive operations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose emphasizes querying company data, but the skill also performs write actions such as creating projects, tasks, and products, and it collects and stores high-value credentials and user-supplied tokens. That mismatch is dangerous because users may grant trust expecting read-only reporting behavior while the skill can modify internal systems and persist secrets locally.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The skill is described as a query interface for company data, but the code includes product-creation functionality. This mismatch is dangerous because users or higher-level agents may invoke the skill expecting read-only behavior while it can mutate business data, causing unauthorized or accidental changes in internal systems.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script can create projects even though the declared purpose emphasizes querying internal platform data. Hidden write actions increase the risk of privilege misuse, accidental state changes, and unsafe delegation by agents that rely on metadata to determine whether a tool is safe to call.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: Task creation exceeds the stated query-oriented purpose of the skill, creating a deceptive capability boundary. In an internal company environment, this can lead to unintended operational changes, spam tasks, or abuse by an agent that assumes the tool is read-only based on its description.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The setup flow writes API keys, account names, and the login password into a local JSON file in plaintext without a clear warning or protection mechanism. If the host is multi-user, backed up, synced, or compromised, these credentials can be recovered and used to access sensitive company systems.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script caches authentication tokens to disk without prior disclosure or hardening. Cached bearer tokens can often be replayed directly, so local file disclosure may immediately grant access to internal data or administrative functions without needing the user's password.

External Transmission

Medium

Category: Data Exfiltration
Content: if [ "$(date +%s)" -lt "$exp" ] && [ -n "$t" ]; then echo "$t"; return 0; fi fi local r; r=$(curl -s -X POST "$base_url/open/auth/login" \ -H "Content-Type: application/json" \ -d "{\"access_key\":\"$ak\",\"secret_key\":\"$sk\"}") local s; s=$(echo "$r" | jq -r '.status')
Confidence: 89% confidence
Finding: curl -s -X POST "$base_url/open/auth/login" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: do_login() { local api_base; api_base=$(jq -r '.base_url // ""' "$CONFIG_FILE" 2>/dev/null) load_config local r; r=$(curl -s -X POST "${api_base}/ent/user/login" \ -H "accept: application/json" -H "content-type: application/json" \ -H "user-agent: Mozilla/5.0" \ -d "{\"account\":\"$ACCOUNT\",\"password\":\"$PASSWORD\"}")
Confidence: 91% confidence
Finding: curl -s -X POST "${api_base}/ent/user/login" \ -H "accept: application/json" -H "content-type: application/json" \ -H "user-agent: Mozilla/5.0" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: echo "正在验证...请稍候" # 先尝试开放平台登录 local r; r=$(curl -s -X POST "$base_url/open/auth/login" -H "Content-Type: application/json" -d "{"access_key":"$ak","secret_key":"$sk"}") local s; s=$(echo "$r" | jq -r '.status') if [ "$s" = "200" ]; then echo "✅ 开放平台验证通过"
Confidence: 93% confidence
Finding: curl -s -X POST "$base_url/open/auth/login" -H "Content-Type: application/json" -d

External Transmission

Medium

Category: Data Exfiltration
Content: fi # 尝试用户登录 r=$(curl -s -X POST "$base_url/ent/user/login" -H "accept: application/json" -H "content-type: application/json" -H "user-agent: Mozilla/5.0" -d "{"account":"$acct","password":"$pwd"}") s=$(echo "$r" | jq -r '.status') if [ "$s" = "200" ]; then echo "✅ 用户登录验证通过"
Confidence: 94% confidence
Finding: curl -s -X POST "$base_url/ent/user/login" -H "accept: application/json" -H "content-type: application/json" -H "user-agent: Mozilla/5.0" -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal