Back to skill

Security audit

passnote-skill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises by creating PassNote memos, but users should configure it only for a trusted PassNote server because it sends memo contents and an API token there.

Install only if you trust the PassNote instance configured in PASSNOTE_API_URL. Prefer HTTPS, use a scoped or revocable PASSNOTE_API_TOKEN, and avoid sending long-lived passwords, API keys, or regulated data unless that PassNote deployment is approved for those secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Tainted flow: 'req' from os.environ.get (line 33, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req.add_header("Authorization", f"Bearer {api_token}")
    
    try:
        response = urllib.request.urlopen(req)
        response_data = json.loads(response.read().decode("utf-8"))
        
        if response_data.get("code") == 0 and "data" in response_data:
Confidence
97% confidence
Finding
response = urllib.request.urlopen(req)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares and relies on network access and sensitive environment variables, but does not explicitly declare permissions to bound or disclose those capabilities. This can weaken reviewability and user consent because the skill can transmit memo contents and use an API token without a clear permission contract.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README encourages users to place highly sensitive content such as passwords into a memo, but it does not clearly disclose that this data will be sent to the external PassNote service via the skill. That omission can mislead users about data handling boundaries and cause accidental disclosure of secrets to a third-party system, which is especially risky in a security-themed tool.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger text is broad enough to activate on ordinary requests involving notes, memos, or messages, which could cause the agent to send user content to an external service unexpectedly. In security-sensitive contexts, overbroad activation increases the chance of accidental data exfiltration or use without informed user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.