Back to skill

Security audit

shimo-export

Security checks across malware telemetry and agentic risk

Overview

This skill is built for Shimo document export, but it handles a full live session cookie and can automatically scan or export broad personal and team documents with limited confirmation.

Install only if you intentionally want an agent to use a full Shimo session and download documents available to that account. Use it on a trusted machine, avoid all-space exports unless you really mean it, confirm scope and destination before exporting, protect or delete config/env.json after use, and rotate or revoke the Shimo session if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This script implements a local man-in-the-middle style reverse proxy for authentication, rewrites Set-Cookie attributes, strips browser security headers, and captures the shimo_sid session token for storage. Even if intended to simplify login, this materially expands the skill from document export into credential interception and session handling, creating a high-risk path for session theft, misuse, or accidental exposure if the local proxy is abused or the saved token is read by other local processes.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation criteria are explicitly broad enough to trigger on generic requests about exporting or downloading documents, even when the user does not mention Shimo. That can cause unintended skill invocation, leading the agent to use stored Shimo credentials and perform document discovery or export actions in the wrong context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to automatically launch a browser-based login flow and capture authentication cookies via a local reverse proxy, without requiring an explicit, informed user consent step at execution time. Because this flow acquires live session credentials and continues the original request automatically after login, it increases the risk of surprise credential capture and unintended access to a user's Shimo data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly says exports should proceed without confirmation unless the file count exceeds 20, which permits silent authenticated bulk export of potentially sensitive documents. In an agent setting, this weakens user intent verification and can turn a vague or misrouted request into a large-scale data exfiltration event.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The skill explicitly instructs downloading remote content to a local filesystem path under /tmp without requiring user confirmation, constraining the destination, or warning about overwrite and disk-write behavior. In an agent setting, this can cause unintended local file creation or replacement, and the risk is elevated because the downloaded URL is remote and the filename may be influenced by document metadata.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation provides authenticated request headers, including a session cookie, and describes direct export/download flows for documents without any user-consent, authorization, data-classification, or handling guidance. In a skill explicitly designed for bulk browsing and export of team-space documents, this lowers the barrier to mass data exfiltration by an agent or user who already has a valid session.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation explicitly instructs use of a session cookie (`shimo_sid`) as an authentication credential and describes account-identifying endpoints, but it does not warn that this cookie is equivalent to account access and must be handled as a secret. In an AI skill context focused on automated export, this increases the risk that agents, logs, prompts, or downstream tools may expose or mishandle live credentials and user data during browsing or batch export workflows.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
auth/scripts/browser-login.cjs:254