Security audit

Sentinal Redis

Security checks across malware telemetry and agentic risk

Overview

This is a Redis monitoring helper whose read-only diagnostics are purpose-aligned, but its Redis credentials and diagnostic output should be treated as sensitive.

Install only if you intend to let the agent inspect the selected Redis instance. Prefer a read-only or least-privilege Redis account, verify REDIS_URL points to the intended server, avoid putting passwords directly on command lines, and redact slow logs, job payloads, stack traces, keys, and connection details before sharing diagnostics.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Low

Confidence: 87% confidence
Finding: The skill declares itself strictly read-only, but then instructs execution of an external health-check script whose contents are not shown in the skill. That creates an opaque trust boundary: the script could perform writes, exfiltrate data, or run broader shell logic, and reviewers/users cannot verify it from this document alone.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill goes beyond infrastructure health monitoring by instructing retrieval of full BullMQ job details, including payload data, failure reasons, and stack traces. These fields often contain sensitive application data, tokens, PII, internal paths, or secrets, so broad disclosure increases confidentiality risk beyond the stated monitoring purpose.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The example `redis-cli -h <host> -p <port> -a <password>` places credentials directly on the command line, which can leak via shell history, process listings, audit logs, or terminal recordings. Even in documentation, normalizing this pattern encourages unsafe operator behavior and can expose Redis passwords on shared systems.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script builds a shell command string (`CLI="redis-cli -u $REDIS_URL"`) from user-controlled input and later executes it unquoted as `$CLI ...`. Because shell metacharacters, command substitutions, or argument-breaking whitespace inside `REDIS_URL` can be interpreted by the shell, an attacker can turn a Redis health check into arbitrary command execution on the host running the script. This is especially dangerous because the skill is explicitly intended to inspect live infrastructure and is likely to be run with network access and operator trust.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.