Back to skill

Security audit

PCO CLI - Planning Center Services

Security checks across malware telemetry and agentic risk

Overview

This does not look malicious, but it needs review because it points to unbundled local CLI code and includes commands that can change or delete live Planning Center data without safety guidance.

Install only if you trust and have separately reviewed the external pco.ts CLI and its dependencies. Use least-privilege Planning Center credentials, avoid sharing outputs containing people or scheduling data, and require explicit human confirmation before any raw POST, PATCH, or DELETE command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation frames the tool as limited to Planning Center Services, but it exposes a generic raw API interface and additional resource access that can reach beyond a narrow read-only workflow. This mismatch can mislead users or downstream agents into granting trust or using the skill in broader, potentially destructive ways than the description suggests.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The top-level description presents the CLI as a Services API helper, but the documented interface includes write-capable raw API operations that are not reflected in the otherwise read-oriented command narrative. That creates a dangerous trust gap where users may assume the tool is safer or more limited than it actually is.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill documents local credential storage and broad access to people, scheduling, media, and organizational records without warning that these may contain sensitive personal or operational data. In an agent context, omission of handling guidance increases the risk of oversharing, unsafe logging, or unauthorized querying of private information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The raw API section advertises POST, PATCH, and DELETE functionality without any warning that these actions can create, alter, or remove production church data. In an automated or agent-driven setting, undocumented destructive capability materially raises the chance of accidental modification or deletion.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.