Back to skill

Security audit

zentao-bug-analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for automating Zentao bug analysis, but it needs Review because it can post to a business tracker, alter local repositories, store credentials, and exposes an overbroad host file-write bridge during attachment downloads.

Install only if you trust this publisher and are comfortable giving the skill access to your Zentao account, local code repositories, bug attachments, and the ability to post comments. Run it in a dedicated workspace, review generated comments before posting when possible, avoid using highly privileged Zentao credentials, and fix or constrain the download file-write bridge before using it with untrusted Zentao content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs terminating local processes with broad OS commands such as taskkill and process enumeration, which can affect processes beyond the minimum needed for bug analysis. Even though it narrows intent to zentao-related processes, this creates unnecessary host-impacting capability and increases the chance of accidental disruption or abuse on the local machine.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script exposes a Node-side function to the browser page that writes arbitrary data to an arbitrary host file path supplied by page JavaScript. Because the page is reached via a user-supplied CDP endpoint and the page context can execute untrusted or compromised content, any script running in that page can abuse __writeChunk to overwrite files on the host, which exceeds the stated download-only purpose.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The comment suggests the exposed function is only for writing downloaded files, but the implementation accepts any filePath argument from browser code without validation. This mismatch is dangerous because it can mislead reviewers into underestimating that page-controlled JavaScript has a generic host file-write capability.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The checklist mandates operationally impactful actions—downloading attachments, checking out arbitrary commits, updating submodules, posting comments to an external system, and killing processes—without any requirement for user confirmation, dry-run mode, scope restriction, or safety validation. In an agent skill context, this can cause unintended code/worktree modification, external data exfiltration or disclosure via comments, and termination of unrelated local processes if identifiers are wrong or outputs are spoofed.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The natural-language trigger conditions are broad enough to match ordinary conversation, which can cause the skill to activate unexpectedly and initiate high-impact actions like accessing Zentao, downloading files, writing comments, and modifying local git state. In a skill with external-system access and local execution, accidental activation materially increases risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill performs several sensitive operations—local password storage, repository checkout, attachment download, external comment posting, and process termination—without a consolidated, explicit risk disclosure and consent model. Users may not understand that invoking the skill can alter local state and send data to external systems, increasing the likelihood of unsafe use.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/zentao-login.js:29