Security audit

sitemd plugin

Security checks across malware telemetry and agentic risk

Overview

This website-building skill is purpose-aligned, but it needs review because install-time code downloads and may execute a native binary while also modifying project and agent configuration.

Install only if you trust the sitemd publisher and are comfortable with a native binary downloaded from GitHub Releases. Use it in a version-controlled site project, require explicit confirmation before delete, activate, clone, config, update, auth-key, or deploy actions, and treat SITEMD_TOKEN and magic login URLs as private credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill metadata declares no permissions, yet it clearly relies on environment-based secrets via `SITEMD_TOKEN`. That mismatch weakens transparency and consent, because an agent or operator may not realize the skill consumes sensitive credentials when deciding whether to enable it. In a skill that can deploy sites and authenticate users, undeclared secret access increases the risk of misuse or over-trust.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill presents itself as a website-management tool, but the instructions also include bootstrap/install behavior: downloading a binary, executing external programs, and writing project/config files. That is a meaningful expansion of its trust boundary, because users may approve content-management actions without realizing they are also authorizing software installation and execution. In an adversarial or compromised distribution scenario, this could lead to arbitrary code execution on the host.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The installer does more than its stated purpose of downloading a platform binary: it can scaffold a ./sitemd project, invoke the downloaded binary with init, and write agent/MCP configuration into the caller's project root via INIT_CWD. Running these side effects automatically during npm postinstall expands the trust boundary and can unexpectedly modify user projects and agent behavior, which is dangerous especially because the downloaded binary is executed immediately after install.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The header comment frames this script as only downloading a release binary, but the implementation also performs project initialization and writes agent configuration files. That mismatch is security-relevant because users and reviewers may underestimate the install-time behavior, and npm postinstall hooks that silently create project content or alter agent integration can cause unanticipated persistence or environment changes.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The authentication flow instructs the agent to send a login URL through third-party messaging channels such as WhatsApp or Discord without discussing channel trust, interception, forwarding, or link leakage. Magic-link URLs are effectively bearer tokens during their validity window, so exposing them in insecure or shared channels can enable account takeover or unauthorized session approval.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill encourages creation of a long-lived API key and storage in `SITEMD_TOKEN` without any guidance on secret handling, scoping, rotation, or storage protections. Long-lived environment credentials are commonly exposed through logs, shell history, process inspection, CI output, or misconfigured agents, and here they may authorize deployment or other sensitive site actions.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The skill uses broad activation language like 'When someone needs a website' that can match many ordinary user requests and cause the agent to assume control of a website-building workflow too readily. In an agent environment with tool access, this increases the chance of unintended invocation, unnecessary file changes, or leading users into deployment/auth flows when they only wanted advice.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The example trigger 'someone says "build me a website about X" and you deliver a complete site' encourages aggressive action from a very common conversational phrase. Because this skill can create pages, clone sites, change config, and deploy, broad examples materially raise the risk of over-eager tool use without sufficient scoping or confirmation.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The skill is described as something an agent can use to create, manage, and deploy websites "through conversation," but it does not define clear trigger boundaries, approval requirements, or when high-impact actions should be taken. In an agent setting, broad activation language can cause over-eager use of deployment or content-modifying tools from ambiguous user requests, increasing the chance of unintended changes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The "First Steps" section instructs the agent to validate and then deploy with `sitemd_deploy` without any warning that deployment is externally visible and may publish incomplete, malicious, or unintended content. Because this skill manages live websites, normalizing deploy actions as routine setup materially raises the risk of unauthorized or accidental production changes.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The tool list includes `sitemd_pages_delete` and says it cleans up navigation and groups, but it does not warn that content removal may be irreversible or require confirmation. In a conversational agent workflow, destructive tools without explicit caution are prone to accidental invocation from ambiguous cleanup or refactor requests.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation recommends creating a long-lived API key and storing it in `SITEMD_TOKEN` for automated deploys, but it does not warn that this is a sensitive credential granting ongoing site-management capability. Long-lived tokens significantly increase the blast radius of prompt leakage, log exposure, environment disclosure, or accidental sharing by an agent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: sitemd/install.js:57