Security audit

AI-Driven Project Management: TensorPM

Security checks across malware telemetry and agentic risk

Overview

TensorPM appears purpose-built for project management, but its default local API can read and change project data without authentication while the app is running.

Install only if you trust the TensorPM desktop app and its download channels. If you use A2A, enable A2A_HTTP_AUTH_TOKEN before starting TensorPM, run it only on trusted machines, and avoid placing secrets in projects, imported files, or conversations unless you are comfortable with local agents and processes potentially accessing that data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The documentation explicitly states that the local A2A endpoint requires no authentication and that all localhost requests are trusted. That is risky because localhost is not a strong trust boundary: other local processes, browser-based localhost access patterns, malware, or other users on a shared machine may be able to interact with the service and read or modify project data.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The skill says core project context can only be modified through the project manager agent, but the same document lists direct REST endpoints for creating projects and creating or updating action items. This mismatch can cause users and integrators to over-trust the agent layer and misunderstand what is directly writable, which weakens security assumptions and can lead to unauthorized or unsafe automations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises unauthenticated localhost access to project listings, agent cards, conversations, action items, and workspace operations without warning about local privacy exposure. In context, this increases risk because project-management data often contains sensitive business information, and the documentation normalizes broad local access as safe.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal