Back to skill

Security audit

Beeper API CLI

Security checks across malware telemetry and agentic risk

Overview

This Beeper messaging skill is mostly coherent, but it needs review because it can access private chats, send messages, auto-launch Beeper Desktop, and passes the Beeper token to a hard-coded CLI binary not included in the reviewed artifact.

Install only if you can verify the Beeper CLI binary at the configured path and are comfortable giving it your Beeper bearer token. Keep the API on localhost unless you intentionally configure remote access, expect the wrapper to start Beeper Desktop automatically, and approve any send only after checking the exact recipient, network, and full message text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes shell-executable capabilities but does not declare permissions or clearly bound what commands may be run. This creates a trust and review gap: an agent may invoke local binaries that can read messages, search chats, or send messages across connected accounts without an explicit permission model.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The workflow example instructs the agent to send a message immediately after selecting a chat, but omits the documented approval checkpoint. In practice, examples strongly shape agent behavior, so this contradiction can lead to unauthorized outbound messages on real user accounts.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script automatically launches a GUI desktop application when it is not already running, which expands the skill's behavior from a simple CLI wrapper into process control over the host. In an agent context, this can trigger unintended application execution, UI changes, or side effects without explicit user approval, increasing the attack surface beyond the stated read/send messaging functionality.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill description highlights convenience and broad multi-network access but does not warn that using the tool can expose private messages and search across all connected chats. This omission increases the risk of overbroad data access and accidental privacy violations because users and downstream agents may not appreciate the sensitivity of the data surface.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.