erxes-next-plugin

Security checks across malware telemetry and agentic risk

Overview

This erxes plugin is purpose-built and not malware-like, but it can use OAuth credentials to change business records and its instructions assume owner-level authority too broadly.

Install only in an erxes environment where the agent is intended to act with owner-like authority. Use least-privilege OAuth clients if available, keep secrets out of logs and project files, require explicit confirmation for any write/delete/bulk action, and prefer HTTPS except trusted localhost development.

Publisher note

This plugin needs native host access only to run bundled shell helpers for erxes OAuth device login and token refresh. It sends requests to the configured ERXES_BASE_URL, uses ERXES_CLIENT_ID and ERXES_CLIENT_SECRET for confidential OAuth, and does not persist access tokens, refresh tokens, auth headers, API keys, or .env values to project files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (12)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The keyword list includes very generic terms such as "contacts," "companies," "products," and especially "graphql," which can match many unrelated user requests and cause the plugin to be invoked outside a clearly intended erxes-specific context. Because this plugin exposes privileged OAuth-backed data operations, accidental invocation increases the chance of unnecessary credential use, overbroad data access, or unintended destructive actions.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The declared intents include broad commands like "create," "update," "delete," and "group erxes records" without explicit guardrails around record type, tenant scope, confirmation requirements, or authorization context. In a confidential OAuth plugin that can operate business data through GraphQL, such broad routing language raises the risk of the agent selecting this skill for ambiguous prompts and performing high-impact actions on the wrong data.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The activation guidance is broad enough that an agent could engage this skill for generic business-record requests without strong scoping or tenant/context validation. In a skill that includes many destructive and high-impact operations, overbroad matching increases the chance of acting on the wrong records or invoking sensitive mutations in the wrong context.

Vague Triggers

Low

Confidence: 76% confidence
Finding: The open-ended trigger phrases lack constraints, required context, and disambiguation requirements, which can cause an agent to infer intent too aggressively from ambiguous user language. Because the skill supports create, update, delete, transfer, and conversion flows, ambiguous triggers materially raise the risk of unintended record access or destructive actions.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document instructs users to transmit bearer tokens and sensitive account data to an HTTP endpoint on localhost without any warning about secure transport, token handling, or secret exposure risks. Even in a local-development context, normalizing insecure examples can lead operators or downstream tooling to reuse the pattern in non-local environments, exposing credentials and personal data.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest advertises broad keywords such as "contacts," "companies," "products," "block," "operation," "graphql," and "oauth," which are generic enough to match many unrelated user requests. In a plugin that can authenticate to a confidential OAuth client and operate on remote data, overly broad activation increases the chance the agent invokes this skill in the wrong context, exposing data access or causing unintended actions.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The listed intents include ambiguous phrases like "create erxes record," "update erxes record," "delete erxes record," "operate block plugin," and "operate operation plugin" without clear scoping or confirmation requirements. Because this skill is designed to perform authenticated GraphQL operations against erxes Next, loose intent matching can lead to accidental invocation of destructive actions, including modification or deletion of business data.

Natural-Language Policy Violations

Medium

Confidence: 96% confidence
Finding: The skill explicitly tells the agent to assume owner-level authority by default, which weakens authorization boundaries and encourages execution of privileged operations without validating the requesting user's actual permissions. In an agent setting, this can enable unauthorized reads, updates, deletions, and membership changes if the surrounding platform does not independently enforce least privilege before the call is made.

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: Telling the agent to proceed first and only surface access problems after API rejection creates a fail-open posture. This is dangerous because it normalizes unauthorized attempts against sensitive operations and can leak whether protected resources or actions exist based on differing API responses, while also relying entirely on backend enforcement to prevent privilege abuse.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The template section states that owner-mode access should be assumed even though permission definitions are missing, which is especially risky because absent permission metadata should increase caution, not reduce it. This can lead the agent to perform template reads or mutations on resources whose authorization model is unclear, increasing the chance of unauthorized access or modification.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The manifest keyword list is broad enough to match generic terms such as "contacts," "companies," "products," "graphql," and "oauth," which can cause the plugin to activate in conversations not specifically about erxes Next. Because this skill is high-privilege and configured for confidential OAuth access plus create/update/delete operations, accidental invocation could expose sensitive data actions to an unrelated workflow or increase the chance of prompt-routing abuse.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The intent phrases are broad operational requests like "create erxes record," "update erxes record," and "delete erxes record" without any visible scope checks, authorization boundaries, or object-level constraints in the manifest. In the context of a confidential OAuth plugin that can operate over GraphQL, broad matching increases the risk that ambiguous user requests are interpreted as permission to perform sensitive state-changing actions.

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal