Back to skill

Security audit

Dirextalk Deployer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate deployment helper, but it deserves review because it installs persistent services and stores live service tokens on disk.

Install only if you are comfortable with a tool that can create billable AWS resources, install npm packages, run a persistent local bridge daemon, and store Dirextalk/Matrix service tokens under your home directory. Prefer a dedicated temporary AWS deployment user over root keys, review the generated files, restrict access to `~/.dirextalk/nodes/<service_id>/`, and rotate or delete credentials if those files may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly describes a host-stored bootstrap file containing `password`, `access_token`, `agent_token`, and `agent_room_id`, but does not warn that these are highly sensitive bearer credentials or specify required file permissions, rotation, or handling precautions. In the context of a deployment skill for a production message server, omission of credential-handling guidance increases the chance operators will expose or mishandle secrets, leading to account/session compromise and unauthorized API access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly instructs the workflow to write local credentials and service configuration during S6, but it does not warn about filesystem sensitivity, file permissions, backup leakage, or multi-user host exposure. In a deployment skill that provisions real infrastructure and handles live tokens, omission of storage-safety guidance increases the chance that secrets are left readable to other local users or unintentionally synced to backup/cloud tooling.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The completion section provides commands that install and execute software fetched from the network, including npm installation and daemon installation, without a clear warning that this modifies the host system and may install persistent services. In the context of an agent skill meant to automate deployment, users may run these commands directly, so lack of an explicit consent/safety notice meaningfully increases operational risk.

Credential Access

High
Category
Privilege Escalation
Content
- App 域名: `<domain>`
- 八位 App 初始化码: 后端 `password` 字段的当前值
- 本地服务凭据: `~/.dirextalk/nodes/<service_id>/credentials.json`
- MCP endpoint 由 `state.json` 与 `dirextalk-connect/config.toml` 的当前消费者持有,不再生成无人消费的 `mcp/env`
- dirextalk-connect 配置: `~/.dirextalk/nodes/<service_id>/dirextalk-connect/config.toml`
- MCP 配置目录: `~/.dirextalk/nodes/<service_id>/mcp/`
Confidence
93% confidence
Finding
credentials.json

Session Persistence

Medium
Category
Rogue Agent
Content
## Installation Policy

- `DIREXTALK_AGENT_INSTALL=skip`: write credentials, canonical MCP artifacts, and dirextalk-connect config only.
- `DIREXTALK_AGENT_INSTALL=recommend`: write files, record state, and print the install command.
- `DIREXTALK_AGENT_INSTALL=auto` (default): refresh `dirextalk-connect@latest` under `~/.dirextalk/nodes/<service_id>/dirextalk-connect`, unless explicit binary/command overrides are set. S6 writes short wrappers at `dirextalk-connect/dirextalk-connect(.cmd)`, installs or refreshes the service-scoped `dirextalk-connect daemon install --config ~/.dirextalk/nodes/<service_id>/dirextalk-connect/config.toml --service-name <service_id> --force`, and records dirextalk-connect as installed only after `dirextalk-connect daemon status --service-name <service_id>` reports `Status: Running` and recent daemon logs show `dirextalk-connect is running`. Logs that show agent CLI missing, login/auth/trust failures, ACP startup failures, or agent offline state make S6 fail with `connect_install_status=install_failed`; deploy does not continue to completion until the daemon startup is verified. MCP records `mcp_install_status=not_required` for the HTTP endpoint path.
Confidence
80% confidence
Finding
write credentials, canonical MCP artifacts, and dirextalk-connect config only. - `DIREXTALK_AGENT_INSTALL=recommend`: write files, record state, and print the install command. - `DIREXTALK_AGENT_INSTA

Session Persistence

Medium
Category
Rogue Agent
Content
- **S1_PREFLIGHT**: 校验 region、Lightsail 套餐和 Lightsail 可用区,然后选择云提供方;不查询 AWS Free Tier 或免费额度使用情况。默认 Lightsail,默认 AZ 是 `<region>a`;如果默认 AZ 不可用则选择同 region 其他可用 Lightsail AZ;如果 Lightsail 当前 region 没有可用套餐或可用区,且用户没有显式强制 Lightsail,则在 S1 记录选择 EC2。EC2 路径会校验默认 VPC、vCPU 配额、Elastic IP 可用配额和 Ubuntu 24.04 amd64 AMI。
- **S2_DOMAIN**: 确认正式长期域名和 Matrix `server_name` 不可逆绑定。
- **S3_PROVISION**: 按 S1 记录的 provider 创建资源。开始创建云资源前解析最新稳定 server GitHub Release、校验 manifest checksum,并在 `state.json.server_release` 固定 version/image/digest/image_ref/manifest_digest,同时记录独立 updater 的 version/commit/SHA-256 pin。Lightsail 路径创建 Ubuntu 24.04 实例、密钥对、静态 IP 和防火墙端口;EC2 创建 Ubuntu 24.04 amd64 实例、密钥对、安全组、Elastic IP 和 50 GiB gp3 root EBS。两条路径的 user-data 都包含 bootstrap;在校验宿主为 Ubuntu 22.04 或 24.04 x86_64 后,bootstrap 直接下载固定 updater Release URL、核对 deployer 固定 SHA-256 并原子安装。S3 只通过 SSH 触发可续跑 bootstrap,不复制二进制。`MESSAGE_SERVER_IMAGE` 只在同时设置 `DIREXTALK_ALLOW_MESSAGE_SERVER_IMAGE_OVERRIDE=1` 的 debug/legacy 部署中可用。
- **LEGACY_ADOPT**: 不属于普通 S3 resume。仅 `scripts/adopt-legacy-node.sh` 在 dry-run 证明固定 d1 v0.15.2/digest/Compose/host-Caddy 拓扑并收到精确确认后,写入 `server_release.source=legacy_adopted`,生成 `/var/dirextalk-message-server` 不可变视图并调用同一 updater resume。流程不 pull、不 recreate 在线镜像;Caddy 只新增 public jobs 路由,validate/reload 失败恢复原文件。
- **S4_BOOTSTRAP_STACK**: 等云端 user-data 安装 Docker 并启动 `postgres:18 + message-server + caddy + coturn`,轮询 `https://<domain>/healthz`。
- **S5_INIT_TOKENS**: SSH 读取云端 `init-tokens.sh` 生成的 `/var/dirextalk-message-server/p2p/bootstrap.json`,归一化 `password`、`access_token`、`agent_token`、真实 `agent_room_id`。云端脚本会先调用 `portal.bootstrap`,用 `agent_token` 创建 `@agent:<server>` Matrix session,再用 owner Matrix token 创建房间并邀请/加入 agent,最后回写真正的 agent room。`password`、owner `access_token` 和 `agent_token` 按一次性/易失凭据处理;需要登录或用 token 调接口前,必须重新从服务器拉取最新 `/var/dirextalk-message-server/p2p/bootstrap.json`,不要复用旧输出。
- **S6_WIRE_LOCAL**: 写本地凭据、用 `agent_token` 创建 `@agent:<server>` Matrix session、写 `dirextalk-connect/config.toml`,写 MCP 配置片段,并按策略安装或
...[truncated 25 chars]
Confidence
81% confidence
Finding
create 在线镜像;Caddy 只新增 public jobs 路由,validate/reload 失败恢复原文件。 - **S4_BOOTSTRAP_STACK**: 等云端 user-data 安装 Docker 并启动 `postgres:18 + message-server + caddy + coturn`,轮询 `https://<domain>/healthz`。 - **S

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/agent-targets.md:87