Security audit

Token Management

Security checks across malware telemetry and agentic risk

Overview

This token-management skill has a coherent purpose, but it gives agents broad plaintext credential access and includes unsafe handling patterns users should review before installing.

Install only if you are comfortable with an agent accessing a central plaintext token file. Prefer a private secret manager or OS keychain, avoid printing token values, ensure secret files are not committed, and require explicit approval for each service-specific credential lookup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill instructs making git commits around updates to a credential store, which can capture secrets or secret-bearing diffs in version control. Even if intended as a backup step, committing `.env` content materially increases the risk of long-term credential exposure, accidental pushes, and forensic persistence of revoked or rotated tokens.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The documented `cat ~/Documents/life/.env` command exposes the entire secret store, not just the token needed for the current task. This can reveal unrelated API keys, credentials, and metadata to the agent interface, logs, screenshots, or downstream consumers, violating least privilege and greatly expanding blast radius.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The skill claims to ensure token security while directing storage in a location described as 'shareable, public,' which is fundamentally inconsistent with safe secret handling. This contradiction normalizes insecure storage and may lead users or agents to treat sensitive credentials as acceptable in broadly accessible locations.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill instructs reading and listing secrets from a shared `.env` file without privacy warnings, consent checks, or minimization controls. In a secret-handling context, omitting these safeguards makes accidental disclosure much more likely through terminal output, agent responses, or logs.

Ssd 3

High

Confidence: 99% confidence
Finding: Directing the agent to read and reveal all stored tokens in plain text is a severe secret-disclosure issue. In context, this is especially dangerous because the file is presented as a centralized credential repository, so one command can exfiltrate a broad set of unrelated credentials at once.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The instruction to always check the credential store before asking the user encourages silent retrieval and reuse of previously stored secrets. While secret reuse can be operationally convenient, doing so without explicit consent or task-scoped confirmation increases the chance of unauthorized access, misuse across contexts, or accidental disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal