Signal CLI

Security checks across malware telemetry and agentic risk

Overview

This skill transparently uses a local Signal CLI setup to find recipients and send user-confirmed Signal messages.

Install only if you trust your local signal-cli setup and are comfortable letting the agent use your registered Signal account. Confirm the exact recipient, message text, and attachments before sending, and avoid broad contact lookups unless they are needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill invokes local shell commands (`signal-cli` and bundled Python scripts) but declares no permissions, creating a capability/permission mismatch. Even if the functionality is legitimate, undeclared shell access reduces transparency and can let a caller trigger local messaging actions or contact enumeration without an explicit security boundary review.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script retrieves a user's local Signal contact list and emits personally identifiable contact data such as names, nicknames, phone numbers, usernames, and UUIDs in JSON. In the context of an agent skill, this can expose sensitive address-book data to the calling agent or downstream systems without any in-code minimization, consent check, or disclosure, increasing privacy and data-exfiltration risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal