Redmine Pilot

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Redmine helper, but it can read and change live project tickets and its broad trigger wording increases accidental-use risk.

Install only if you want the agent to access your Redmine instance. Use a least-privilege API key, keep prompts Redmine-specific, and require the agent to show the exact project, issue, fields, notes, and status changes before any create or update action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill uses environment variables and makes outbound network requests to a remote Redmine server, but it does not declare those capabilities or permissions. This creates a transparency and governance gap: operators may enable the skill without realizing it can access secrets and interact with external systems, increasing the chance of unintended data access or remote actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The declared description understates the actual behavior: beyond basic issue querying and status updates, the skill can retrieve detailed issue data including journals/attachments and perform broader metadata and issue modifications. This mismatch can mislead users and reviewers about the scope of access and side effects, causing them to authorize a skill with more reach than expected.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger terms are broad and include generic words like 'project', 'issue', '任务', and '工单', which may appear in many unrelated conversations. Over-broad triggering can cause the skill to activate unexpectedly in the wrong context, leading to unintended API calls, disclosure of project data, or accidental modification attempts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents remote write operations such as creating and updating issues without warning that these actions modify external project-management data. In an agent setting, lack of explicit warning or confirmation increases the risk of accidental state changes, unauthorized workflow disruption, or audit-impacting updates on production project records.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal