Back to skill

Security audit

Vikunja Tasks

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but its task-search/filter handling can let crafted input execute local Python code before contacting Vikunja.

Use only after patching the URL-encoding logic to pass search/filter values as arguments or environment variables, not embedded code. Configure a limited, revocable Vikunja token, verify VIKUNJA_URL points to your HTTPS server, confirm write actions before running them, and enable the cron/Telegram notification only if recurring external notifications are intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell scripts and makes outbound API calls to a self-hosted Vikunja instance, but the skill manifest does not declare permissions for those capabilities. Undeclared network and shell access weakens the trust boundary for users and reviewers, making it harder to assess what the skill can do and increasing the chance of unexpected command execution or data exfiltration.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation description is broad enough to match many ordinary productivity requests such as reminders, to-do lists, and task tracking. Over-broad routing can cause the agent to invoke this skill unexpectedly, exposing task data or triggering network-backed actions when the user did not clearly intend to use the external Vikunja integration.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill states that all times are handled in America/Denver and even recommends cron scheduling in that timezone without user opt-in. Enforcing a fixed timezone can cause tasks, due dates, and proactive notifications to be evaluated at the wrong time, leading to missed deadlines, premature actions, or privacy-impacting notifications delivered unexpectedly.

External Transmission

Medium
Category
Data Exfiltration
Content
# --- Helpers ---
api_get() {
  curl -s -H "$AUTH" "${API}/$1"
}

api_put() {
Confidence
88% confidence
Finding
curl -s -H "$AUTH" "${API}/$1" } api_put() { curl -s -X PUT -H "$AUTH" -H "Content-Type: application/json" "${API}/$1" -d "$2" } api_post() { curl -s -X POST -H "$AUTH" -H "Content-Type: applica

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.