Otpforge

Security checks across malware telemetry and agentic risk

Overview

OtpForge is a local 2FA code manager that does what it advertises, but its vault contains sensitive authentication secrets that users must protect.

Install only on a trusted device with protected local storage. Treat the vault file, command-line secrets, displayed codes, and copied codes as authentication credentials; avoid shared or synced vault paths, and prefer an encrypted password manager for high-value accounts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill stores TOTP seeds in a local JSON file, which are effectively authentication secrets, but the description does not warn users about the sensitivity of that storage. Users may unknowingly persist 2FA material in plaintext or inadequately protected locations, increasing the chance of credential compromise from local access or backups.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The storage path for the OTP vault can be redirected via the OTPFORGE_STORE environment variable, which may cause secrets to be written to an unexpected or less protected location. In contexts where environment variables are inherited from untrusted launchers, wrappers, or higher-privileged execution contexts, this can lead to accidental disclosure or overwrite of sensitive OTP seeds.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal