Back to skill

Security audit

ServiceNow

Security checks across malware telemetry and agentic risk

Overview

This is a clearly disclosed ServiceNow integration that can make powerful changes if configured with a powerful ServiceNow account, but I did not find hidden, deceptive, persistent, or unrelated behavior.

Install this only with a dedicated least-privilege ServiceNow API user, not an admin account. Review any create/update/delete or batch command before it runs, keep batch in dry-run until the matched records are verified, and be careful with attachment uploads/downloads because they can move data between your local machine and ServiceNow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell commands (`bash scripts/sn.sh ...`) and therefore has code-execution capability, but it does not declare permissions or clearly signal that shell execution is required. This reduces transparency and can cause agents or users to approve a skill without understanding that it can run local commands and make authenticated network calls to a ServiceNow instance.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The description presents the skill primarily as a generic ServiceNow CRUD and analytics integration, but the documented behaviors also include sensitive operational diagnostics and powerful bulk-destructive actions such as batch delete and broad instance health inspection. This mismatch can mislead users or orchestration systems about the true privilege and blast radius of the skill, increasing the chance of overbroad approval and unsafe use.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The health command goes beyond normal table/record CRUD and exposes instance-administration diagnostics such as version/build details, cluster node status, semaphore state, and scheduled job health. In an agent skill context, this expands the accessible attack surface and can leak operational intelligence useful for reconnaissance even if the code is not overtly malicious.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Querying sys_cluster_state, sys_trigger, and sys_semaphore exposes infrastructure and runtime-status information not necessary for ordinary ITSM/CMDB workflows. Such data can aid attackers or over-privileged agents by revealing topology, stuck jobs, active locks, and other operational conditions that support targeted abuse or disruption.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The setup instructs users to place ServiceNow credentials in plaintext environment variables without warning about exposure risks such as shell history leakage, process inspection, inherited environments, or accidental logging. Because these credentials grant broad API access, compromise of the host or session can quickly translate into unauthorized read, update, delete, or attachment access across ServiceNow tables.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The attachment download command writes server-controlled content to any caller-supplied local output path without validation or safety restrictions. In an agent setting, this can overwrite arbitrary files accessible to the process, enabling data loss, persistence, or staging of malicious content on the local system.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The attachment upload command sends arbitrary local file contents to the remote ServiceNow instance based on a user-supplied path, with no safeguards around sensitive files. In an agent environment, prompt injection or misuse could cause exfiltration of local secrets, configuration files, or other private data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.