Back to skill

Security audit

Fabric.co API skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Fabric API helper that can read and change a user’s Fabric workspace, with no hidden exfiltration or persistence found.

Install only if you want an agent to access and modify your Fabric workspace. Use a scoped or revocable Fabric API key if available, avoid putting tokens in URLs, keep FABRIC_BASE/--base pointed at trusted Fabric-compatible endpoints, do not use --with-key for arbitrary URLs, and review delete, recover, bulk-write, and file-upload operations before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no explicit permissions while clearly requiring environment access, file reads, and network access to a third-party API. This weakens transparency and policy enforcement because an agent or reviewer may not realize the skill can access secrets and transmit user content externally.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The helper intentionally permits absolute URLs and will issue requests to any http/https destination, which expands the skill beyond the stated Fabric API scope into a generic network client. Although it avoids sending the Fabric API key to absolute URLs by default, this still enables SSRF-style behavior, unintended access to internal or attacker-controlled services, and can be combined with --with-key to exfiltrate the API key to arbitrary endpoints.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The helper accepts arbitrary absolute URLs and will issue requests to them, making it a generic HTTP client rather than a Fabric-only wrapper. In an agent/skill context, this expands the trust boundary and can enable SSRF-style access to unexpected external or internal endpoints, even though the code tries not to send the Fabric API key to absolute URLs by default.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The activation guidance is broad enough that the skill may be invoked for many generic requests involving reading or writing notes or workspace content. Over-broad triggering increases the chance of unnecessary external API use, unintended data disclosure to Fabric, or writes to persistent user storage without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Accepting an access token in a query parameter is dangerous because URLs are commonly logged by browsers, proxies, load balancers, analytics systems, and server logs. In a skill/agent context, this increases the chance that sensitive bearer material is exposed to intermediaries or retained in history, enabling unauthorized access if leaked.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The recovery endpoint allows accessToken in the query string, which creates the same credential leakage risk through logs, monitoring tools, browser history, and referral handling. Because this endpoint restores resources, a leaked token could be abused to recover items without the user’s intent.

Missing User Warnings

High
Confidence
99% confidence
Finding
This delete endpoint is both destructive and willing to receive an access token via query parameters, compounding the risk of token exposure with irreversible or high-impact actions. In an agent skill, destructive operations should be especially hardened because leaked credentials or accidental invocation can lead to bulk deletion of user resources.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Space creation accepting accessToken in the URL exposes credentials to the same logging and history channels as other query-token patterns. While creation is less severe than deletion, a leaked token still grants an attacker authenticated capability and broadens the blast radius in a collaborative workspace environment.

Session Persistence

Medium
Category
Rogue Agent
Content
# Fabric API (HTTP via Node/Python)

Use this skill when you need to **read or write content in a user's Fabric workspace** using the Fabric HTTP API (`https://api.fabric.so`).

This version avoids bash-only wrapper scripts. It ships **cross-platform** helpers:
Confidence
80% confidence
Finding
write content in a user's Fabric workspace** using the Fabric HTTP API (`https://api.fabric.so`). This version avoids bash-only wrapper scripts. It ships **cross-platform** helpers: - Node: `{baseDi

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/fabric.mjs:96