Janee

Security checks across malware telemetry and agentic risk

Overview

Janee is a real local API-key proxy, but its defaults and URL handling can let an agent make broad authenticated requests, including potentially leaking stored credentials to an unintended host.

Review before installing. Use only with tightly scoped API keys and explicit allow rules, avoid write-capable or financial production credentials, and do not rely on autoApprove, sessions, or revoke as strong safety controls. Treat audit logs and ~/.janee/config.yaml as sensitive files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This code exposes a generic outbound request execution path driven by MCP requests, not a narrowly scoped secrets-management function. Because it can construct arbitrary paths, merge caller-supplied headers, and dispatch authenticated requests to configured backends, it effectively turns the skill into a privileged API proxy that can be abused to perform unintended actions against internal or third-party services.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The hot-reloadable execution model broadens the attack surface by allowing the set of reachable services and capabilities to change at runtime while preserving a generic request executor. In a skill advertised as secrets management, this mismatch is especially risky because users may grant trust expecting limited secret access, while the implementation can be repurposed into a broader authenticated action broker.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: This module persistently records API activity to local JSONL files and also exposes log-reading functionality, which materially expands the skill's effective data handling beyond narrowly scoped secrets management. Even though the current event schema avoids full headers and bodies, the logged service, path, timestamps, denial reasons, and request metadata can still reveal sensitive operational behavior and user activity, especially in an agent context.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The real-time tailing and historical log reading features create a local surveillance interface over agent/API activity that is not clearly required for secrets management. In practice, this increases the chance that another component, plugin, or local user can monitor request patterns, blocked actions, and timing data, enabling privacy leakage and operational intelligence gathering.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README explicitly recommends creating a capability with auto-approval enabled for a real payment API without a strong warning about the risk. In a secrets-brokering tool for AI agents, this can normalize unattended access to live APIs, allowing prompt-injected or mistaken agent actions to execute immediately against production systems.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Documenting 'no rules defined → allow all' creates an insecure-by-default policy model for a tool that proxies real credentials to external APIs. If users omit rules, an agent may gain unrestricted access to the backing service, turning prompt injection, misconfiguration, or agent error into full API compromise.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The configuration example includes `autoApprove: true` for a capability that can perform POST requests, and the documentation does not prominently warn that this enables state-changing API actions without human confirmation. In a secrets-management/proxy skill, that is especially risky because the tool can execute authenticated operations against real third-party services.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The command interactively collects API keys, HMAC secrets, and arbitrary auth headers, then persists them via saveYAMLConfig without any explicit warning, consent step, or indication of storage protections. In a secrets-management tool, silently writing sensitive credentials to a local YAML file increases the risk of accidental disclosure through weak file permissions, backups, source control, or shared workstations.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The migration preserves the old JSON config by renaming it to config.json.bak after creating the new YAML file, which retains a second copy of sensitive configuration data on disk. If the old JSON format stored secrets less safely or if users assume migration removed the original, this increases exposure and secret persistence without any warning or cleanup option.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code writes audit records to local files without any visible user disclosure or consent mechanism, despite persisting API activity. In a secrets-management skill, silent persistence is more concerning because users reasonably expect secret protection, not hidden activity logging, and may be unaware that operational metadata is being retained on disk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Denied-request logging stores user-supplied reason text directly to disk, which can capture sensitive prompts, business context, or other confidential text entered by users. Because this content is not sanitized or clearly disclosed, it creates an avoidable local data retention risk and may expose secrets or personal data through audit files.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The execute tool exposes a generic request primitive that can send arbitrary methods, paths, headers, and bodies to backend services, but this file does not present any user-facing warning, consent boundary, or safety disclosure at the tool surface. In an agent setting, that makes it easier for prompt-influenced or confused agents to perform consequential external actions without clear operator awareness.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal