zion-baas-skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for Zion backend administration, but it stores powerful developer/admin/user tokens in plaintext project files and enables live backend mutations with limited safety controls.

Install only for Zion projects you own or administer. Prefer OAuth over email/password CLI login, add .zion/credentials.yaml to .gitignore, restrict file permissions, avoid shared machines/workspaces, rotate tokens after use, and require explicit review before running mutations or production backend actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: When run directly, the script retrieves a runtime admin token and persists it into a local credentials file, creating a durable high-privilege secret on disk. In the context of a skill intended for backend integrations, this expands from transient authentication use into privileged credential materialization, which increases the chance of token theft, accidental commit, local compromise, or reuse beyond the intended session.

Intent-Code Divergence

Low

Confidence: 81% confidence
Finding: The docstring says the function returns the admin token and URL, but the direct-execution path also writes the admin token to disk without documenting that side effect. Undocumented persistence of privileged credentials is dangerous because operators may invoke the script assuming a transient fetch, while it actually leaves a reusable secret behind in local storage.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README explicitly instructs users that developer tokens and project admin tokens are automatically stored in a local `.zion/credentials.yaml` file, but it provides no warning about the sensitivity of those secrets, file permissions, encryption, or exclusion from source control. Because these are high-privilege backend credentials for GraphQL/admin access, accidental exposure through git commits, shared workspaces, backups, or multi-user machines could lead to unauthorized access and modification of backend data.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly requires persisting developer, admin, and user JWTs in a project-local `.zion/credentials.yaml`, but provides no safeguards such as file permission restrictions, exclusion from version control, encryption, or use of OS secret stores. Because these tokens include administrative runtime access, accidental disclosure through commits, backups, workspace sharing, or local malware could directly enable unauthorized access to backend data and operations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs collecting usernames/passwords and also passing email/password credentials on the command line via `npm run auth:email <email> <password>`. Command-line arguments are often exposed via shell history, process listings, logs, and telemetry, so this pattern can leak credentials even on otherwise trusted systems.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script stores a developer JWT to disk in a predictable local file without any user disclosure, consent prompt, or file-permission hardening. Persisting bearer tokens increases the chance of credential theft from local compromise, backups, shared workspaces, or accidental check-in, and this is especially sensitive because the token appears to grant developer access to a BaaS platform.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script persists a bearer access token to a local YAML file in the working directory without warning the user, without restricting file permissions, and without using an OS-backed secret store. If another local user, process, repository commit, backup system, or malware can read that file, the token can be reused to access the account until it expires.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script writes a runtime admin token to credentials.yaml without any user-facing warning, confirmation, or indication of sensitivity. A high-privilege token stored silently on disk can be harvested by other local processes, accidentally committed to version control, or reused by anyone with filesystem access.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill mandates persistent retention of developer/admin/user JWTs along with `user_tags` containing notable information in a project-local YAML file. This combines secret retention with user-related descriptive data, increasing the blast radius of any repo leak, endpoint compromise, or accidental sharing and making the skill context more dangerous because the stored tokens can grant broad backend access.

Credential Access

High

Category: Privilege Escalation
Content: console.log("Authentication successful."); const credentialsDir = path.resolve(process.cwd(), ".zion"); const credentialsPath = path.join(credentialsDir, "credentials.yaml"); let data: any = {}; if (fs.existsSync(credentialsPath)) {
Confidence: 81% confidence
Finding: credentials.yaml

Credential Access

High

Category: Privilege Escalation
Content: console.log("Authentication successful."); const credentialsDir = path.resolve(process.cwd(), ".zion"); const credentialsPath = path.join(credentialsDir, "credentials.yaml"); let data: any = {}; if (fs.existsSync(credentialsPath)) {
Confidence: 88% confidence
Finding: credentials.yaml

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal