Back to skill

Security audit

Qubitclient

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent quantum-calibration client guide, but users should handle its credentials carefully and be cautious with live measurement-control features.

Before installing, verify you trust the qubitclient package source, keep generated config files out of version control, restrict access to API keys and license tokens, and use the MCP control features only in environments where you are authorized to change live measurement settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to generate local configuration files containing API keys, model endpoints, and license tokens, but it does not warn that these secrets will be stored on disk in plaintext. This increases the risk of accidental disclosure through source control, shared workspaces, backups, or permissive filesystem access, especially in research or multi-user environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation advertises real-time measurement control, parameter updates during measurement, and automated calibration workflows without warning that these features can change live experimental settings. In a quantum lab context, undocumented live control can cause unintended experiment state changes, wasted instrument time, invalid results, or potentially unsafe hardware operation if users do not realize commands are mutative.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.