Back to skill

Security audit

Publisher

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate PushWebly publishing helper, but it needs review because it can publish local projects externally and stores reusable login secrets in plaintext local config.

Install only if you intentionally want Codex to publish projects to PushWebly. Confirm visibility before every publish, avoid saving credentials unless you accept plaintext local storage in ~/.publisher/config.json, and rotate the PushWebly password or token if that file is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger language is broad enough that loosely related user phrases like 'sharing' or 'launching' could force entry into a publishing workflow and prompt for credentials or deployment actions the user did not clearly request. In an agent setting, overbroad activation increases the chance of unintended external side effects, including accidental uploads to a third-party service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs storage of plaintext username, password, and bearer token in a local config file, which creates credential-at-rest exposure if the host is compromised, backed up insecurely, or read by other local processes. Although it mentions consent and file mode 600, plaintext persistence of reusable secrets materially increases account takeover risk.

Ssd 3

Medium
Confidence
89% confidence
Finding
Instructing the agent to always relay the final private access password in normal conversation exposes an authentication secret in chat logs, transcripts, and UI history. Because the password protects access to a private project, unnecessary disclosure weakens confidentiality and may leak to anyone with access to the conversation record.

Ssd 3

Medium
Confidence
93% confidence
Finding
The response template explicitly includes the private project's access password in the assistant's visible output, which normalizes disclosure of a live access credential into logs and message history. In agent platforms with persistent transcripts, this can turn a private app into effectively shared access if others can review the conversation.

Session Persistence

Medium
Category
Rogue Agent
Content
- Do not require Python. Optional scripts, if present, are for CLI/CI users only.
- Ask only for genuinely missing information: credentials, zip path, project
  name, public/private visibility, or private access password preference.
- Never write credentials into a project zip or repository file. Store them only
  in the user's local `~/.publisher/config.json` after consent.
- On Windows/PowerShell, use a temp JSON file for request bodies instead of
  shell-escaping inline JSON.
Confidence
94% confidence
Finding
write credentials into a project zip or repository file. Store them only in the user's local `~/.publisher

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:470