Back to skill

Security audit

Qlik Cloud

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Qlik Cloud integration, but it gives an agent broad access to business data and production-changing actions without strong guardrails.

Install only if you want an agent to access and operate on your Qlik Cloud tenant. Use a least-privilege Qlik API key, keep it out of version control and shared notes, verify QLIK_TENANT is your legitimate HTTPS Qlik Cloud tenant, and require human confirmation before delete, reload cancel, automation run, alert trigger, or other production-changing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and documents use of environment variables, shell scripts, and networked API access, but the skill file does not declare permissions or trust boundaries. This creates a transparency and governance gap: an agent may invoke capabilities with broader access than a reviewer or user expects, increasing the chance of unintended credential use or external actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises destructive and workflow-triggering capabilities such as app deletion, reload triggering, automation execution, and user management without clearly warning operators about side effects, permissions, or the risk of modifying production data and workflows. In an agent skill context, this is dangerous because documentation strongly influences autonomous tool use, and omission of cautions increases the chance that an agent or user will invoke state-changing operations unintentionally.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation text is very broad: 'use when user asks about Qlik, Qlik Cloud, Qlik Sense apps, analytics dashboards, data reloads, or wants to query business data using natural language.' This can cause the skill to trigger for general analytics or business-data questions and then use powerful tenant-scoped operations and credentials in contexts where the user did not clearly intend Qlik Cloud access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes destructive or state-changing operations such as app deletion, app creation, reload triggering/canceling, automation execution, and alert triggering without prominent warnings or confirmation requirements. In an agent setting, this increases the risk of accidental administrative actions against production analytics assets and workflows.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The setup instructions tell users to place a Qlik API key into TOOLS.md or environment variables but do not warn that the key is sensitive, should not be committed to source control, and should be scoped minimally. This omission raises the likelihood of credential leakage through documentation files, logs, or shared repositories.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends the user's free-form natural-language question to the remote Qlik Cloud API and explicitly enables visualization cell data, which can cause actual underlying business data to be returned. In this skill context, that behavior is expected functionality, but it still creates a real data-disclosure risk because users may unknowingly submit sensitive queries and receive sensitive records without any explicit warning, minimization, or confirmation step.

External Transmission

Medium
Category
Data Exfiltration
Content
print(json.dumps(body))
")

curl -sL -X POST \
  -H "Authorization: Bearer ${QLIK_API_KEY}" \
  -H "Content-Type: application/json" \
  -d "$REQUEST_BODY" \
Confidence
84% confidence
Finding
curl -sL -X POST \ -H "Authorization: Bearer ${QLIK_API_KEY}" \ -H "Content-Type: application/json" \ -d

External Script Fetching

High
Category
Supply Chain
Content
TENANT="${QLIK_TENANT%/}"
[[ "$TENANT" != http* ]] && TENANT="https://$TENANT"

curl -sL \
  -H "Authorization: Bearer ${QLIK_API_KEY}" \
  -H "Content-Type: application/json" \
  "${TENANT}/api/v1/apps/${APP_ID}/data/lineage" | python3 -c "
Confidence
94% confidence
Finding
curl -sL \ -H "Authorization: Bearer ${QLIK_API_KEY}" \ -H "Content-Type: application/json" \ "${TENANT}/api/v1/apps/${APP_ID}/data/lineage" | python

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.