Back to skill

Security audit

Ccp Session Update

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent session wrap-up workflow, but it gives an agent broad persistent write access and undeclared credential handling that users should review carefully before installing.

Install only if you control the referenced Notion database, 1Password item, Proton Drive/Obsidian vault, Docker Plane instance, and Plane projects. Before use, replace the hardcoded personal paths and IDs, make credential access match the manifest, and require explicit review before syncing session details or changing Plane issues.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs operators to retrieve a Notion credential directly from 1Password even though the manifest only declares an environment variable requirement. This expands the trust boundary, encourages secret access beyond the declared interface, and can normalize unnecessary credential exposure or secret exfiltration patterns in agent workflows.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The manifest says the skill requires NOTION_API_KEY, but the body tells the operator to ignore that path and fetch a different key from 1Password. This mismatch undermines policy enforcement and reviewability, because security controls may approve the skill based on declared requirements while the actual instructions use a separate, undeclared credential source.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill performs several state-changing actions: modifying local project files, writing into a synced Obsidian/Proton Drive vault, posting to Notion, and creating or closing Plane issues. Without an explicit user-facing warning or confirmation gate, an agent could carry out broad changes to local, cloud, and task-management state that the user did not intend.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.