Back to skill

Security audit

Nex Vault

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but its Telegram setup can unsafely modify the user’s shell startup file and its local-only privacy framing under-discloses external Telegram alerts.

Review before installing. Avoid the built-in Telegram credential setup unless it is fixed to use safe app-scoped storage instead of ~/.bashrc. If Telegram alerts are enabled, assume document names and deadline details may be sent to Telegram. Use the vault only for files you intentionally add, and treat exports as potentially containing full extracted document text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif args.action == 'set-telegram-token':
        token = input("Enter Telegram Bot Token: ")
        import subprocess
        subprocess.run(['bash', '-c', f'echo "export NEX_VAULT_TELEGRAM_BOT_TOKEN={token}" >> ~/.bashrc'])
        print("Telegram Bot Token saved. Run 'source ~/.bashrc' to apply.")
        print(FOOTER)
Confidence
99% confidence
Finding
subprocess.run(['bash', '-c', f'echo "export NEX_VAULT_TELEGRAM_BOT_TOKEN={token}" >> ~/.bashrc'])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif args.action == 'set-telegram-chat':
        chat_id = input("Enter Telegram Chat ID: ")
        import subprocess
        subprocess.run(['bash', '-c', f'echo "export NEX_VAULT_TELEGRAM_CHAT_ID={chat_id}" >> ~/.bashrc'])
        print("Telegram Chat ID saved. Run 'source ~/.bashrc' to apply.")
        print(FOOTER)
Confidence
98% confidence
Finding
subprocess.run(['bash', '-c', f'echo "export NEX_VAULT_TELEGRAM_CHAT_ID={chat_id}" >> ~/.bashrc'])

Tainted flow: 'token' from input (line 482, user input) → subprocess.run (code execution)

Critical
Category
Data Flow
Content
elif args.action == 'set-telegram-token':
        token = input("Enter Telegram Bot Token: ")
        import subprocess
        subprocess.run(['bash', '-c', f'echo "export NEX_VAULT_TELEGRAM_BOT_TOKEN={token}" >> ~/.bashrc'])
        print("Telegram Bot Token saved. Run 'source ~/.bashrc' to apply.")
        print(FOOTER)
Confidence
100% confidence
Finding
subprocess.run(['bash', '-c', f'echo "export NEX_VAULT_TELEGRAM_BOT_TOKEN={token}" >> ~/.bashrc'])

Tainted flow: 'chat_id' from input (line 489, user input) → subprocess.run (code execution)

Critical
Category
Data Flow
Content
elif args.action == 'set-telegram-chat':
        chat_id = input("Enter Telegram Chat ID: ")
        import subprocess
        subprocess.run(['bash', '-c', f'echo "export NEX_VAULT_TELEGRAM_CHAT_ID={chat_id}" >> ~/.bashrc'])
        print("Telegram Chat ID saved. Run 'source ~/.bashrc' to apply.")
        print(FOOTER)
Confidence
99% confidence
Finding
subprocess.run(['bash', '-c', f'echo "export NEX_VAULT_TELEGRAM_CHAT_ID={chat_id}" >> ~/.bashrc'])

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no explicit permissions while its documented behavior clearly requires environment access, file read/write, shell execution, and network access for Telegram notifications. This mismatch weakens user and platform trust boundaries because an agent may invoke capabilities the user did not knowingly approve, especially given it also runs setup scripts and processes local documents.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond a simple local vault: it exports metadata, stores full extracted document text, edits ~/.bashrc to persist Telegram credentials, invokes external executables, and runs a setup script that installs dependencies. These undisclosed or underemphasized behaviors materially increase privacy and integrity risk because sensitive contract contents and secrets may be persisted, exposed, or modified in ways users would not expect from the top-level description.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Appending configuration to ~/.bashrc via bash introduces an unnecessary persistence mechanism outside the skill's core document-vault functionality. Even aside from injection, silently modifying a shell startup file changes the user's environment permanently and can be abused to maintain control or affect future shell behavior.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README instructs users to configure a Telegram bot token and chat ID but does not warn that these credentials will be stored locally and used to transmit notification metadata to Telegram, a third-party service. In a skill marketed as a local, privacy-preserving document vault, that omission can mislead users about data handling and create avoidable credential exposure or privacy risks if the token is stored insecurely or alerts contain sensitive contract information.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad everyday terms such as 'contract', 'insurance', 'license', 'renewal', and 'deadlines', which can cause the skill to activate in contexts where the user did not intend document processing. In a skill that can read files, store sensitive business text, export data, and send notifications, overbroad activation increases the chance of unintended access or disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises export and Telegram notification features without prominent warnings that contract metadata, deadlines, and potentially sensitive extracted content may be written to files or transmitted to a third-party messaging service. In the context of business agreements and compliance documents, this can expose confidential information, create regulatory issues, or leak sensitive operational timelines.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends alert messages derived from document metadata over the network to Telegram, which is a third-party service. In a document-vault skill handling contracts, leases, insurance, and other sensitive business records, even filenames, deadlines, and notice events can reveal confidential business relationships and operational details if users are not clearly informed and the feature is enabled without strong consent controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The bot token is a sensitive credential, and this code persists it into ~/.bashrc without adequately warning the user about exposure and long-term storage implications. Shell startup files may be readable by other local processes, included in backups, or accidentally disclosed, increasing credential leakage risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
This writes configuration persistently into ~/.bashrc without clearly disclosing the file modification to the user. The chat ID is less sensitive than a bot token, so the confidentiality risk is lower, but the hidden persistence behavior is still undesirable and can surprise users or create unintended side effects.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.