EVC Team Relay

Security checks across malware telemetry and agentic risk

Overview

This skill gives an agent authenticated read, write, and delete access to a configured Team Relay Obsidian vault, and the reviewed artifacts disclose that behavior clearly enough for its purpose.

Install only with a Relay account scoped to the shares the agent should access. Prefer read-only credentials unless the agent truly needs edits, use RELAY_TOKEN or a protected secret source instead of passing tokens on the command line, avoid committing RELAY_PASSWORD in config, and require explicit human approval for deletes or broad updates in shared vaults.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script exposes a destructive delete operation even though the skill metadata describes read/write, list, and search capabilities, not deletion. This mismatch can cause users or calling agents to grant trust under incomplete assumptions, increasing the risk of unauthorized or unexpected data loss in a shared collaborative vault.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly advertises broad read/write access to a shared Obsidian vault, including the ability to create, modify, and delete notes, but does not warn users about integrity risks, accidental destructive changes, or the sensitivity of shared knowledge-base content. In an agent skill, this omission is security-relevant because users may enable powerful document mutation capabilities without understanding the blast radius of mistakes, prompt-injection-driven edits, or agent misuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The configuration examples instruct users to place a plaintext password directly in JSON config and shell environment variables without any warning about secret exposure. This increases the risk of credential leakage through shell history, process listings, screenshots, config file disclosure, backups, or accidental commits, especially on multi-user systems or shared developer environments.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents a delete operation for shared vault content without any warning, confirmation flow, or guidance on safe use. In a collaborative knowledge base, accidental or unauthorized triggering of destructive actions can cause data loss affecting multiple users, especially if an agent is given broad autonomy.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script performs irreversible file deletion immediately from supplied arguments with no confirmation prompt, dry-run mode, or secondary validation of user intent. In a shared Obsidian/Relay environment, an accidental or misrouted invocation could delete collaborative content and disrupt multiple users.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script accepts the bearer token via a positional command-line argument when RELAY_TOKEN is not set. Command-line arguments are commonly exposed through process listings, shell history, audit logs, and job runners, which can leak credentials to other local users or logging systems. In this skill's context, the token grants access to a collaborative document vault, so leakage could enable unauthorized reading or modification of shared notes.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script accepts the bearer token as a positional command-line argument when RELAY_TOKEN is not set. Command-line arguments are commonly exposed through process listings, shell history, audit logs, and orchestration tooling, which can leak the credential to other local users or monitoring systems. In this skill's context, the token grants access to a shared collaborative vault, so disclosure could enable unauthorized reading or modification of team documents.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script accepts a bearer token as a positional CLI argument when RELAY_TOKEN is unset. Command-line arguments are commonly exposed through process listings, shell history, audit logs, and CI runner diagnostics, which can leak the credential to other local users or logging systems. In this skill's context, the token grants access to a shared collaborative vault, so exposure could allow unauthorized reading or modification of shared notes.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal