Back to skill

Security audit

Nella

Security checks across malware telemetry and agentic risk

Overview

Nella is a coherent code-search skill, but it deserves Review because normal use can send repository content and usage metadata to remote services while storing credentials and context locally.

Install only if you are comfortable with a codebase-indexing tool that may send source snippets and search results to configured remote embedding/reranking services, logs usage metadata when authenticated, and stores tokens plus persistent context locally. Prefer local-only or tightly scoped provider settings for private repositories, pin the npm version, avoid service-role credentials except for deliberate self-hosting, keep hosted servers bound to localhost unless intentionally exposed, and review or rotate any API keys written into agent config files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The server can send Pushover notifications on first-run and usage milestones, which is unrelated to the exposed MCP tool contract and creates an undisclosed outbound data channel. Even if the payload is small, it transmits API-key-derived identifiers and usage metadata to a third party, expanding data exposure beyond user expectations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The exported MCP entrypoint includes substantially broader hosted-server behavior than a typical local MCP skill: multi-tenant HTTP serving, API-key validation, Supabase/Redis integration, telemetry, and notification paths. In a skill-evaluation context, this unexpected expansion of network-facing and data-processing capability increases attack surface and can expose repositories, credentials, and usage metadata beyond the implied MCP scope.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Cloud SQL and Cloud Storage capabilities are embedded in the same module graph as the MCP tooling, creating latent paths for remote persistence and external data movement unrelated to the visible skill purpose. Even if not always invoked, bundling these capabilities into the skill increases the chance of misuse, misconfiguration, or unexpected exfiltration in downstream integrations.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file includes a full playground web server with HTTP/WebSocket endpoints, auth middleware, metrics, and session persistence, which is a much larger capability set than an MCP tool shim. This creates a remotely reachable surface that could be started accidentally or by a host environment expecting only local MCP behavior.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The telemetry path records MCP tool usage and queues/sends it to a remote analytics endpoint when telemetry is enabled, while the surrounding auth flow messaging emphasizes authentication rather than clearly disclosing telemetry. Silent or weakly disclosed outbound analytics from a local code-analysis tool is dangerous because it can leak behavioral metadata about workspace usage to an external service without informed consent.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill includes a bearer-token Authorization header example for hosted configuration but does not warn about secret handling, redaction, or avoiding hardcoding tokens into shared configs. While the shown value is clearly a placeholder, this pattern can normalize copying real API keys into files, prompts, logs, or screenshots, which increases the chance of accidental credential exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The CLI persists access and refresh tokens in plaintext under ~/.nella/auth.json. Any local malware, another user on a shared system, or backup/sync tooling that can read that file could steal the session and impersonate the user against the remote service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The connect flow writes bearer API keys into multiple third-party client config files on disk. Those files may be readable by other local users, extensions, sync services, or backups, turning a convenience feature into credential sprawl across several applications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The embedder sends code/text chunks and bearer credentials to external services, which can expose proprietary source code and sensitive workspace content to third parties. In this skill's context, indexing and search operate over arbitrary repositories, so transmitting code off-host materially increases confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The reranking path sends retrieved code/content to external reranking providers, which can leak sensitive snippets found during search. Because this occurs after retrieval, even highly relevant secret-bearing code may be transmitted without additional user approval.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Auth/session tokens are persisted to ~/.nella/auth.json in plaintext without any visible permission hardening or encryption in this path. On multi-user systems or compromised hosts, local token theft could enable unauthorized access to the user's Nella-backed services.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code performs multiple outbound network interactions to Supabase, Redis-backed infrastructure, Pushover, and remote model/embedding services, but the hosted server path does not present clear user-facing disclosure of these transmissions. In an agent skill context, undisclosed external data flow is risky because prompts, metadata, and usage information may leave the local trust boundary unexpectedly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The indexing/search pipeline sends workspace content to third-party embedding and reranking services, including external APIs such as Voyage, Azure, or Nella-hosted endpoints. In a code-assistant skill, this can transmit proprietary source code, secrets, or internal documentation off-host without a clear consent boundary at the call sites.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The auth flow persists Supabase access and refresh tokens in ~/.nella/auth.json without any evident encryption or OS keychain protection. Local token storage can be abused by other local processes or users on the system to impersonate the user and access remote services.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The hosted server defaults to binding on 0.0.0.0, exposing the MCP/HTTP service on all network interfaces. If launched in a developer workstation or shared environment, this can unintentionally make sensitive code-intelligence endpoints reachable from other hosts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The authentication helper persists refresh/access session data to ~/.nella/auth.json, creating durable local credentials that may outlive the current session. Storing tokens on disk without strong protections or clear user disclosure increases the risk of credential theft from local compromise, backups, or permissive filesystem settings.

Missing User Warnings

High
Confidence
98% confidence
Finding
The indexing and search stack sends workspace-derived content to external embedding and reranking providers such as Voyage, Azure OpenAI, and Nella's API. This is dangerous because proprietary source code, comments, secrets accidentally present in files, or internal architecture details may be transmitted to third parties during normal use if users are not clearly warned and do not explicitly consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The MCP server logs per-tool usage telemetry to https://app.getnella.dev/api/usage/log, including tool name, duration, and estimated token counts, and retries silently in the background. Even if source content is not sent here, this still leaks operational metadata about repository analysis activity and user workflows to a remote service without strong in-band disclosure.

Ssd 3

High
Confidence
98% confidence
Finding
The auth callback accepts access and refresh tokens via browser URL query parameters. Query-string tokens can leak through browser history, logs, proxies, crash reports, referrers, and other instrumentation, exposing live credentials beyond the intended local callback flow.

External Transmission

Medium
Category
Data Exfiltration
Content
body.retry = "300";
      body.expire = "3600";
    }
    await fetch("https://api.pushover.net/1/messages.json", {
      method: "POST",
      body: new URLSearchParams(body)
    });
Confidence
91% confidence
Finding
fetch("https://api.pushover.net/1/messages.json", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
body.retry = "300";
      body.expire = "3600";
    }
    await fetch("https://api.pushover.net/1/messages.json", {
      method: "POST",
      body: new URLSearchParams(body)
    });
Confidence
91% confidence
Finding
https://api.pushover.net/

External Transmission

Medium
Category
Data Exfiltration
Content
body.retry = "300";
      body.expire = "3600";
    }
    await fetch("https://api.pushover.net/1/messages.json", {
      method: "POST",
      body: new URLSearchParams(body)
    });
Confidence
82% confidence
Finding
fetch("https://api.pushover.net/1/messages.json", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
body.retry = "300";
      body.expire = "3600";
    }
    await fetch("https://api.pushover.net/1/messages.json", {
      method: "POST",
      body: new URLSearchParams(body)
    });
Confidence
82% confidence
Finding
https://api.pushover.net/

Credential Access

High
Category
Privilege Escalation
Content
var import_types2 = require("@modelcontextprotocol/sdk/types.js");
var import_core6 = __toESM(require_dist());
var import_ioredis = __toESM(require("ioredis"));
import_dotenv.default.config({ path: path7.resolve(__dirname, "../../../../.env") });
import_dotenv.default.config();
var pkgVersion2 = "0.0.0";
try {
Confidence
97% confidence
Finding
.env"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/cli.js:2442

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/index.js:2446

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/mcp/hosted-server.js:2446

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/mcp/index.js:2446

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/mcp/server.js:2447

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/cli.js:2976

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:2980

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/mcp/hosted-server.js:2980

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/mcp/index.js:2980

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/mcp/server.js:2981

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/cli.js:2976

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:2980

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/mcp/hosted-server.js:2980

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/mcp/index.js:2980

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/mcp/server.js:2981

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
dist/cli.js:24350

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
dist/index.js:24216

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
dist/mcp/hosted-server.js:24632

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
dist/mcp/index.js:24280

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
dist/mcp/server.js:24175