Security audit

VMflow

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for vending-fleet operations, but it gives agents direct control over real machines, credits, firmware, and device secrets without enough guardrails.

Install only if you are an authorized VMflow fleet operator and are comfortable giving the agent access to Supabase credentials and per-device passkeys. Treat all credit, restart, out-of-sequence, and OTA actions as manual-approval operations, redact tokens and passkeys from logs and chat output, and prefer read-only diagnostics before issuing device-changing commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: This is a mismatch because the description presents a broader fleet-management capability set involving MQTT RPC and Supabase, including sales/inventory queries and firmware updates. The actual code only sends signed MQTT RPC messages to a device topic and optionally listens for a response. It supports commands such as credit and info, which partially align with the description, but it also exposes additional device-control actions not mentioned, and it lacks the claimed Supabase functionality, sales/inventory querying, and firmware update behavior.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The playbook explicitly recommends potentially disruptive commands like `oos` and `restart` for recovery without any warning, approval gate, or guidance on operational consequences. In a fleet-management skill with real device control, this can lead an agent to interrupt service, reboot devices, or worsen outages during normal troubleshooting.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs the agent to obtain bearer tokens and fetch per-device secrets such as passkeys, then use them for fleet control, but it provides no explicit warning that these are high-sensitivity credentials whose disclosure would enable direct device command signing. In this context, the missing warning matters because the same document combines credential retrieval with operational control over physical vending devices, increasing the chance of unsafe handling or accidental exposure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document provides ready-to-run state-changing commands such as send-credit, restart, oos, dex, buzzer, and OTA without clear user-facing cautions, confirmation requirements, or operational guardrails. Because these commands affect physical devices and potentially revenue, availability, and firmware integrity, presenting them without friction materially increases the risk of accidental misuse or unauthorized harmful actions by an agent or operator.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal