Security audit

伙伴个人需求登记

Security checks across malware telemetry and agentic risk

Overview

This plugin is a disclosed Teable integration for recording personal work requests, but it requires users to handle a Teable token through chat and local plaintext storage.

Install only if you are comfortable giving this plugin a short-lived, least-privilege Teable token and having that token stored in a local workspace YAML file. Delete the chat message containing the token immediately, rotate the token if the workspace or chat history may be exposed, and avoid recording sensitive HR or personal data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The instructions direct the agent to persist a sensitive credential to `.teable-token.yaml` immediately after the user sends it in chat, without an explicit consent step for that write. Although the text tries to reduce exposure by telling the user to delete the message, it still normalizes handling secrets through chat and local file persistence, which increases the chance of credential leakage via logs, workspace access, backups, or later agent misuse.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The plugin is configured with onStartup activation, which registers all three MCP tools every time the agent starts rather than only when a user explicitly invokes this skill. That broad exposure increases the attack surface for prompt-injection or unintended tool use, especially because the skill handles personal requirement registration and Teable credentials/config tied to organizational data.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The README instructs users to send a Teable access token through IM chat to the agent, acknowledging that the token may persist in chat history, client history, or logs. Credentials transmitted through conversational channels are at elevated risk of disclosure via message retention, logging, compromise of the chat system, or downstream agent handling, and the stated mitigations do not eliminate that exposure.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Having the agent guide the user to paste the token into chat operationalizes insecure credential handling and normalizes sending secrets over a channel not designed for secret entry. This increases the likelihood of accidental leakage and broadens the exposure surface to chat transcripts, observability pipelines, and any components that process conversation content.

Ssd 3

High

Confidence: 98% confidence
Finding: The bootstrap instructions explicitly tell users to paste a live Teable access token into chat, which exposes a bearer secret through a channel likely to be retained in chat history, client logs, server logs, and monitoring systems. Because the token grants API access and the text acknowledges IM retention risk, this creates a real credential-exposure vulnerability in the onboarding flow.

VirusTotal

54/54 vendors flagged this plugin as clean.

View on VirusTotal