Back to skill

Security audit

pancake-skills

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Pancake API helper, but it needs review because some high-impact write and token actions bypass its stated safety guard.

Install only in a trusted workspace and with Pancake credentials you are comfortable exposing to an agent. Before use, patch the scripts to require CONFIRM_WRITE=YES for pages-generate-token and chat-plugin-send, fix url_encode to pass data as a Python argument instead of interpolating into code, avoid putting tokens in logs or chat transcripts, and treat exports, call logs, customer updates, staff assignment, uploads, and message sends as sensitive actions requiring explicit user intent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (49)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents shell-based network access to an external API but does not declare permissions/capabilities in a manifest-visible way. This weakens policy enforcement and informed consent, because callers may not realize the skill can make outbound requests and perform write operations against remote resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared description omits sensitive capabilities that are later documented, including SIP call-log retrieval and data export. This mismatch is dangerous because users and policy systems may authorize the skill for routine CRM tasks without understanding it can access broader communications metadata and bulk-export data.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Omitting call-log and export capabilities from the manifest while documenting the endpoints creates an incomplete security boundary. Hidden or under-declared data-access features increase the chance of overbroad deployment and misuse, especially for sensitive communication records and bulk data extraction.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The OpenAPI spec exposes materially broader capabilities than the stated skill description, including bulk export, SIP call logs, and round-robin/staff-routing administration. This mismatch can cause users or higher-level agents to invoke sensitive functions without informed consent, especially where the skill appears framed as routine page/conversation management.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The top-level API description claims only retrieval of page data, token generation, and conversation listing, but the specification includes many state-changing and administrative actions such as sending messages, modifying customers, deleting notes, assigning staff, and exporting data. Understating capability breadth is dangerous because it obscures operational and privacy risk from users and calling agents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly documents long-lived credentials, including a non-expiring page token, but provides no warning about secure storage, rotation, shell history exposure, or least-privilege handling. In a skill that manages messages, customers, users, and exports, token compromise would grant broad and potentially durable access to sensitive business and customer data.

Vague Triggers

Low
Confidence
82% confidence
Finding
The API description is broad and lacks clear trigger boundaries or usage constraints, despite including privileged actions over messages, customers, staff, exports, and tokens. In an agent skill context, vague scoping increases the chance of overbroad invocation and unintended high-impact actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The spec documents generation of long-lived page access tokens without a prominent warning about the security consequences. Because these tokens authenticate many privileged APIs and may not expire until manually rotated, accidental generation, disclosure, or misuse could enable persistent unauthorized access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The export endpoint enables bulk extraction of conversation/customer-related data over time ranges, yet lacks a warning about privacy, data-minimization, and exfiltration risk. In an agent setting, bulk export is materially more dangerous than ordinary record retrieval because it can expose large datasets in one action.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The customer update endpoint modifies personal profile fields such as name, birthday, gender, and phone numbers without any warning about data integrity or privacy impact. In agent workflows, silent write-capable customer mutation can lead to unauthorized or erroneous changes to user records.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The note deletion operation is destructive but is not labeled as irreversible or high-risk. Without clear warnings, an agent or user may treat it like a routine update and remove potentially important customer context or audit history.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The helper `pancake_upload` performs a state-changing network operation that uploads local file content to an external service, but it does not invoke the documented `confirm_write` guardrail used to require explicit operator consent. In an agent skill context, this makes accidental or prompt-induced exfiltration of local files materially easier because the function can be called without the safety confirmation the file itself claims should protect write operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The chat-plugin-send command performs a POST request that can send arbitrary message content to an external service without calling confirm_write or otherwise requiring explicit user confirmation. In an agent skill context, this increases the risk of unintended outbound actions, spam, or exfiltration of sensitive conversation content supplied on stdin.

External Transmission

Medium
Category
Data Exfiltration
Content
url="${url}?${token_param}"
  fi

  # Build curl command
  local curl_args=(-s -X "$method")

  if [[ -n "$body" ]]; then
Confidence
83% confidence
Finding
curl command local curl_args=(-s -X "$method") if [[ -n "$body" ]]; then curl_args+=(-H "Content-Type: application/json" -d "$body") fi curl_args+=("$url") curl "${curl_args[@]}" } #

External Transmission

Medium
Category
Data Exfiltration
Content
chat-plugin-send)
    page_id="${1:?PAGE_ID required}"
    body="$(cat)"
    curl -s -X POST -H "Content-Type: application/json" -d "$body" "${PANCAKE_BASE_URL}/api/v1/pke_chat_plugin/messages?page_id=${page_id}"
    ;;

  # Get chat plugin messages
Confidence
95% confidence
Finding
curl -s -X POST -H "Content-Type: application/json" -d

Credential Access

High
Category
Privilege Escalation
Content
### User API (`https://pages.fm/api/v1`)
- `GET /pages` - Liệt kê pages
- `POST /pages/{page_id}/generate_page_access_token` - Tạo page access token

### Page API v2 (`https://pages.fm/api/public_api/v2`)
- `GET /pages/{page_id}/conversations` - Liệt kê conversations
Confidence
71% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
title: Pancake API Library
  version: 1.0.0
  description: >
    API for retrieving page data, generating access tokens, and listing conversations on Pancake platform.
  contact:
    name: Pancake Support
    url: 'https://www.pancake.biz/contact'
Confidence
91% confidence
Finding
access tokens

Credential Access

High
Category
Privilege Escalation
Content
required: true
          schema:
            type: string
          description: Pancake user access token for authentication.
      responses:
        '200':
          description: Successful response
Confidence
86% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
tags:
        - Pages
      summary: Generate page_access_token
      description: "Generate or refresh page_access_token by the admin's access_token of page. Page Access Token used to authenticate public APIs on behalf of a Page. The page's admin can retrieve this token from the Pancake interface by going to: Page's settings → Tools. This token does not expire unless it is manually deleted or renewed. An API key is a token that you provide when making API calls. Include the token in a query parameter called page_access_token."
      security:
        - UserAccessToken: []
      parameters:
Confidence
98% confidence
Finding
Access Token

Credential Access

High
Category
Privilege Escalation
Content
required: true
          schema:
            type: string
          description: Pancake user access token with admin rights to the page.
      responses:
        '200':
          description: Token generated successfully
Confidence
84% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
required: true
          schema:
            type: string
          description: Access token of the page for authentication.
        - name: page_id
          in: path
          required: true
Confidence
82% confidence
Finding
Access token

Credential Access

High
Category
Privilege Escalation
Content
required: true
          schema:
            type: string
          description: Access token of the page used for authentication.
      requestBody:
        required: true
        content:
Confidence
82% confidence
Finding
Access token

Credential Access

High
Category
Privilege Escalation
Content
required: true
          schema:
            type: string
          description: Access token of the page used for authentication.
      requestBody:
        required: true
        content:
Confidence
82% confidence
Finding
Access token

Credential Access

High
Category
Privilege Escalation
Content
required: true
          schema:
            type: string
          description: Page access token
      responses:
        '200':
          description: Success response
Confidence
80% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
required: true
          schema:
            type: string
          description: Page access token
      responses:
        '200':
          description: Success response
Confidence
80% confidence
Finding
access token

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.