Back to skill

Security audit

Canary

Security checks across malware telemetry and agentic risk

Overview

Canary appears to be a defensive secrets scanner, but it asks agents to inspect and sometimes modify a very broad set of sensitive local credential files, so users should review its scope before installing.

Install only if you intentionally want a broad local credential-audit helper. Before any deep scan, review and narrow the paths it will inspect, do not paste raw secrets or full command output into chat, approve fixes one by one, and remember that Canary state, backups, and an integrity marker may persist after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest claims the skill 'scans' and 'fixes issues with your permission' and 'runs silently on startup,' but the system prompt says it cannot directly scan files or apply fixes and only operates in advisory mode. This mismatch is dangerous because it misrepresents capability and trust boundaries, which can cause users to disclose sensitive outputs under false assumptions about what the skill can safely do.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example invocation phrases are broad and natural-language generic, especially "Run a security check" and "Scan my environment." In an agent platform, overly generic triggers can cause the skill to activate during unrelated user requests, leading to unintended local secret scanning of sensitive files and shell history without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill is configured to trigger deep secret-scanning on broad natural-language prompts without strict boundaries. That increases the chance of accidental invocation, causing the agent to inspect sensitive files and histories when the user may have intended only a general discussion or advice request.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Activating on generic terms like 'security check, scan, or audit' is too broad for a skill with credential-access behavior. In normal conversation, these terms could appear in unrelated contexts and still cause the skill to traverse sensitive directories and read secrets.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example prompts are broad enough to activate the skill during normal conversation, such as generic requests to 'run a security check' or 'help me check if my API keys are safe.' In the context of a skill that instructs users to enumerate sensitive files and paste results back, this increases the chance of unintended secret-scanning workflows and unnecessary exposure of sensitive metadata.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill tells users to paste terminal output and file contents back into chat for analysis, but it does not place a strong upfront warning before those instructions that command output may contain live credentials, tokens, private keys, or personal file paths. In a secrets-scanning context, this creates a substantial risk of exfiltrating exactly the sensitive material the skill is supposed to protect.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
- `~/Library/Application Support/` (macOS) and `~/.config/` (Linux) — application configs that may store tokens
- `/tmp/` and `/var/tmp/` — temporary files that may contain secrets from failed scripts or installs. **⚠️ Lower trust: temp directories are world-writable. Any process can plant files here. Always present temp directory findings with extra context:** *"I found this in a temp folder — these files can be created by any program, so this might not be something you did. Worth a look, but don't be alarmed."* Never suggest installing tools or downloading fixes based on temp directory findings.

*CI/CD & Dev Tools:*
- `~/.circleci/cli.yml` — CircleCI token
- `~/.config/gh/hosts.yml` — GitHub CLI auth
- `~/.config/netlify/config.json` — Netlify token
Confidence
97% confidence
Finding
Tools:*

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- *"Canary, undo that last fix"*
- *"Restore my .env file"*

Backups are stored with owner-only permissions and automatically deleted after 7 days. Canary will never back up files in a way that creates additional copies of secrets in less-secure locations.

**Backup security:**
- Backups are encrypted at rest using a key derived from the machine's unique identifier. They cannot be read by simply opening the file — only Canary's rollback process can decrypt them.
Confidence
78% confidence
Finding
automatically delete

Credential Access

High
Category
Privilege Escalation
Content
- **Git history**: If a `.git` directory exists, check `git log --diff-filter=A` for files that commonly contain secrets (`.env`, credentials, key files). Also check `git diff --cached` for secrets staged but not yet committed.
- **Filename heuristics**: Flag files with suspicious names regardless of content — `credentials`, `secret`, `password`, `token`, `private_key`, `service_account`, `*.pem`, `*.key`, `*.p12`, `*.pfx`, `*.jks`, `id_rsa`, `id_ed25519`. If they exist in unexpected locations (Downloads, Desktop, workspace root), escalate severity.
- **File size heuristics**: Small files (under 10KB) in unexpected locations (Downloads, Desktop, Documents, temp directories) with secret-like names or extensions are likely exported keys or tokens. Flag for review.
- **Symlink detection**: Check if any files in scanned directories are symlinks pointing to credential files elsewhere on the system. A symlink to `~/.aws/credentials` in a shared workspace is an exposure vector.
- **Encoding detection**: Check for base64-encoded secrets in config files. Decode and run pattern matching against the decoded content — base64 encoding is often used to obscure secrets but does not protect them.
- **Duplicate secret detection**: If the same secret value appears in multiple locations, flag all instances but group them as a single finding. This helps the user understand the blast radius if that secret is compromised.
- **Stale credential detection**: If a credential file hasn't been modified in over 90 days, flag it as a heads-up — long-lived credentials that are never rotated are a common risk.
Confidence
99% confidence
Finding
~/.aws/credentials

Credential Access

High
Category
Privilege Escalation
Content
- `~/.gnupg/` — GPG private keys and config

*Cloud Providers:*
- `~/.aws/credentials`, `~/.aws/config`
- `~/.config/gcloud/application_default_credentials.json`
- `~/.azure/` — Azure CLI profiles and tokens
- `~/.oci/config` — Oracle Cloud config
Confidence
98% confidence
Finding
~/.aws/credentials

Credential Access

High
Category
Privilege Escalation
Content
- `~/.gnupg/` — GPG private keys and config

*Cloud Providers:*
- `~/.aws/credentials`, `~/.aws/config`
- `~/.config/gcloud/application_default_credentials.json`
- `~/.azure/` — Azure CLI profiles and tokens
- `~/.oci/config` — Oracle Cloud config
Confidence
98% confidence
Finding
~/.aws/config

Credential Access

High
Category
Privilege Escalation
Content
| **API Keys** | Shodan, VirusTotal, OpenAI, Anthropic, AWS, GCP, Stripe, GitHub tokens | `.env` files, skill configs, shell history, git repos |
| **Passwords** | Plaintext passwords in configs, database connection strings with embedded passwords | Config files, `.env`, `.netrc`, skill directories |
| **Private Keys** | SSH private keys, PEM files, JWTs with embedded secrets | `~/.ssh/`, workspace, skill directories |
| **Cloud Credentials** | AWS access keys, GCP service account JSON, Azure tokens | `~/.aws/`, `~/.config/gcloud/`, env vars, configs |
| **Tokens & Sessions** | OAuth tokens, bearer tokens, session cookies, webhook URLs | Chat history, shell history, `.env` files |
| **Local System Files** | Credential exports, service account JSONs, PEM/key files, password manager CSV exports, Kubernetes tokens, Terraform state secrets, database passwords | `~/Downloads/`, `~/Desktop/`, `~/Documents/`, `~/.kube/config`, `*.tfstate`, `~/.config/`, `~/Library/Application Support/`, `~/.my.cnf`, `~/.pgpass`, browser password export CSVs, Redis/MongoDB configs |
Confidence
98% confidence
Finding
~/.config/gcloud/

Credential Access

High
Category
Privilege Escalation
Content
*Cloud Providers:*
- `~/.aws/credentials`, `~/.aws/config`
- `~/.config/gcloud/application_default_credentials.json`
- `~/.azure/` — Azure CLI profiles and tokens
- `~/.oci/config` — Oracle Cloud config
- `~/.config/doctl/config.yaml` — DigitalOcean CLI config
Confidence
90% confidence
Finding
~/.config/gcloud/

Credential Access

High
Category
Privilege Escalation
Content
*Cloud Providers:*
- `~/.aws/credentials`, `~/.aws/config`
- `~/.config/gcloud/application_default_credentials.json`
- `~/.azure/` — Azure CLI profiles and tokens
- `~/.oci/config` — Oracle Cloud config
- `~/.config/doctl/config.yaml` — DigitalOcean CLI config
Confidence
90% confidence
Finding
application_default_credentials.json

Credential Access

High
Category
Privilege Escalation
Content
*Cloud Providers:*
- `~/.aws/credentials`, `~/.aws/config`
- `~/.config/gcloud/application_default_credentials.json`
- `~/.azure/` — Azure CLI profiles and tokens
- `~/.oci/config` — Oracle Cloud config
- `~/.config/doctl/config.yaml` — DigitalOcean CLI config
- `~/.config/hcloud/cli.toml` — Hetzner Cloud CLI config
Confidence
98% confidence
Finding
~/.azure/

Credential Access

High
Category
Privilege Escalation
Content
| **Private Keys** | SSH private keys, PEM files, JWTs with embedded secrets | `~/.ssh/`, workspace, skill directories |
| **Cloud Credentials** | AWS access keys, GCP service account JSON, Azure tokens | `~/.aws/`, `~/.config/gcloud/`, env vars, configs |
| **Tokens & Sessions** | OAuth tokens, bearer tokens, session cookies, webhook URLs | Chat history, shell history, `.env` files |
| **Local System Files** | Credential exports, service account JSONs, PEM/key files, password manager CSV exports, Kubernetes tokens, Terraform state secrets, database passwords | `~/Downloads/`, `~/Desktop/`, `~/Documents/`, `~/.kube/config`, `*.tfstate`, `~/.config/`, `~/Library/Application Support/`, `~/.my.cnf`, `~/.pgpass`, browser password export CSVs, Redis/MongoDB configs |

### Severity Levels
Confidence
97% confidence
Finding
~/.kube/config

Credential Access

High
Category
Privilege Escalation
Content
*Containers & Orchestration:*
- `~/.docker/config.json` — Docker Hub and registry credentials
- `~/.kube/config` — Kubernetes cluster tokens and certificates
- `~/.helm/` — Helm repository credentials
- `*.tfstate` and `*.tfstate.backup` in workspace — Terraform state with plaintext secrets
- `~/.terraform.d/credentials.tfrc.json` — Terraform Cloud tokens
Confidence
98% confidence
Finding
~/.kube/config

Credential Access

High
Category
Privilege Escalation
Content
- `~/.composer/auth.json` — PHP Composer tokens

*Containers & Orchestration:*
- `~/.docker/config.json` — Docker Hub and registry credentials
- `~/.kube/config` — Kubernetes cluster tokens and certificates
- `~/.helm/` — Helm repository credentials
- `*.tfstate` and `*.tfstate.backup` in workspace — Terraform state with plaintext secrets
Confidence
98% confidence
Finding
~/.docker/config.json

Credential Access

High
Category
Privilege Escalation
Content
- Git repositories in the workspace for committed secrets
- SSH keys and config (`~/.ssh/`) for weak permissions
- Shell history files for commands containing tokens or passwords
- Known credential file paths (`.netrc`, `.npmrc`, `.pypirc`, Docker config, AWS credentials, etc.)

---
Confidence
95% confidence
Finding
.npmrc

Credential Access

High
Category
Privilege Escalation
Content
*Package Managers & Registries:*
- `~/.netrc` — often contains login credentials for multiple services
- `~/.npmrc` — NPM auth tokens
- `~/.pypirc` — PyPI upload credentials
- `~/.gem/credentials` — RubyGems API key
- `~/.cargo/credentials.toml` — Rust crate registry token
Confidence
98% confidence
Finding
~/.npmrc

Credential Access

High
Category
Privilege Escalation
Content
*Git:*
- `<workspace>/.git/` — check for secrets in tracked files
- `~/.gitconfig` — may contain tokens in URL credentials
- `~/.git-credentials` — plaintext git credentials

*Local System Directories:*
- `~/Downloads/`, `~/Desktop/`, `~/Documents/` — credential files, exported keys, service account JSONs, `.pem` files left in the open
Confidence
99% confidence
Finding
~/.git-credentials

Credential Access

High
Category
Privilege Escalation
Content
- Git repositories in the workspace for committed secrets
- SSH keys and config (`~/.ssh/`) for weak permissions
- Shell history files for commands containing tokens or passwords
- Known credential file paths (`.netrc`, `.npmrc`, `.pypirc`, Docker config, AWS credentials, etc.)

---
Confidence
95% confidence
Finding
.netrc

Credential Access

High
Category
Privilege Escalation
Content
| Secret Type | Examples | Where It Looks |
|---|---|---|
| **API Keys** | Shodan, VirusTotal, OpenAI, Anthropic, AWS, GCP, Stripe, GitHub tokens | `.env` files, skill configs, shell history, git repos |
| **Passwords** | Plaintext passwords in configs, database connection strings with embedded passwords | Config files, `.env`, `.netrc`, skill directories |
| **Private Keys** | SSH private keys, PEM files, JWTs with embedded secrets | `~/.ssh/`, workspace, skill directories |
| **Cloud Credentials** | AWS access keys, GCP service account JSON, Azure tokens | `~/.aws/`, `~/.config/gcloud/`, env vars, configs |
| **Tokens & Sessions** | OAuth tokens, bearer tokens, session cookies, webhook URLs | Chat history, shell history, `.env` files |
Confidence
94% confidence
Finding
.netrc

Credential Access

High
Category
Privilege Escalation
Content
- `~/.config/hcloud/cli.toml` — Hetzner Cloud CLI config

*Package Managers & Registries:*
- `~/.netrc` — often contains login credentials for multiple services
- `~/.npmrc` — NPM auth tokens
- `~/.pypirc` — PyPI upload credentials
- `~/.gem/credentials` — RubyGems API key
Confidence
98% confidence
Finding
~/.netrc

Credential Access

High
Category
Privilege Escalation
Content
*Cloud Providers:*
- `~/.aws/credentials`, `~/.aws/config`
- `~/.config/gcloud/application_default_credentials.json`
- `~/.azure/` — Azure CLI profiles and tokens
- `~/.oci/config` — Oracle Cloud config
- `~/.config/doctl/config.yaml` — DigitalOcean CLI config
Confidence
90% confidence
Finding
credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.