Security audit

passnote-skill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises by creating PassNote memos, but users should configure it only for a trusted PassNote server because it sends memo contents and an API token there.

Install only if you trust the PassNote instance configured in PASSNOTE_API_URL. Prefer HTTPS, use a scoped or revocable PASSNOTE_API_TOKEN, and avoid sending long-lived passwords, API keys, or regulated data unless that PassNote deployment is approved for those secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Tainted flow: 'req' from os.environ.get (line 33, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: req.add_header("Authorization", f"Bearer {api_token}") try: response = urllib.request.urlopen(req) response_data = json.loads(response.read().decode("utf-8")) if response_data.get("code") == 0 and "data" in response_data:
Confidence: 97% confidence
Finding: response = urllib.request.urlopen(req)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares and relies on network access and sensitive environment variables, but does not explicitly declare permissions to bound or disclose those capabilities. This can weaken reviewability and user consent because the skill can transmit memo contents and use an API token without a clear permission contract.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README encourages users to place highly sensitive content such as passwords into a memo, but it does not clearly disclose that this data will be sent to the external PassNote service via the skill. That omission can mislead users about data handling boundaries and cause accidental disclosure of secrets to a third-party system, which is especially risky in a security-themed tool.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger text is broad enough to activate on ordinary requests involving notes, memos, or messages, which could cause the agent to send user content to an external service unexpectedly. In security-sensitive contexts, overbroad activation increases the chance of accidental data exfiltration or use without informed user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.