Security audit

Juggle自动化工作流

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Juggle workflow runner, but it can start external automations with a token and does not clearly limit or confirm high-impact workflow execution.

Review the Juggle workflows and token permissions before installing. Use a least-privilege token, point the base URL only at a trusted Juggle deployment, avoid putting real secrets in flow-data command lines or docs, and require explicit confirmation for workflows that modify accounts, business data, production systems, payments, or public content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill declares required environment variables and documents network-driven workflow execution, but does not explicitly declare permissions for environment access and outbound network use. This weakens least-privilege controls and makes it easier for a reviewer or runtime to underestimate the skill's ability to access secrets and call remote services.

Intent-Code Divergence

Low

Confidence: 93% confidence
Finding: The manifest requires MC_JUGGLE_BASE_URL and MC_JUGGLE_TOKEN, but the documentation instructs users to configure MC_BASE_URL and MC_JUGGLE_TOKEN. This mismatch can cause operators to place credentials in the wrong variable, leading to failed authentication, accidental fallback behavior, or unintended reuse of a generic base URL secret from another skill or service.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger condition is defined with broad phrases like '执行工作流' and '调用流程', which can match many ordinary requests. In a skill that can invoke remote workflows with user-supplied parameters, ambiguous activation increases the chance of unintended execution of external actions or data processing.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: 文档示例展示了携带令牌的请求和业务标识符传输，但没有任何关于凭据保管、日志脱敏、最小权限或示例值不可直接复用的提示。在自动化工作流技能场景中，用户很可能直接复制示例到脚本、日志或共享环境，导致令牌泄露、敏感业务 ID 暴露或对流程接口的未授权调用。

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The document includes a password field and a concrete plaintext password example, which normalizes unsafe secret handling and increases the chance that users copy the pattern into real environments. In an automation/workflow skill, credential-bearing examples are especially risky because they are likely to be reused in scripts, logs, test fixtures, or shared docs without redaction.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The command-line example passes credentials directly in --flow-data, which can expose the password through shell history, process listings, terminal logs, CI logs, and audit tooling. Because this skill is for workflow automation, users are more likely to run such commands in shared operational environments, making accidental credential disclosure significantly more dangerous.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal