Tool Connector

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about connecting tools, but it captures and persists browser/session credentials for many services and weakens transport security checks, so it needs careful review before installation.

Install only if you are comfortable with an agent acting as your logged-in user across chat, email, Drive, CI, and ticketing tools. Prefer scoped API tokens or dedicated low-privilege accounts, confirm your organization's policy on session-token capture, protect the local token files, and avoid using the bundled insecure TLS examples as-is.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (88)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: from playwright.sync_api import sync_playwright, TimeoutError as PlaywrightTimeout except ImportError: print("Installing playwright...") os.system(f"{sys.executable} -m pip install playwright -q") os.system(f"{sys.executable} -m playwright install chromium -q") from playwright.sync_api import sync_playwright, TimeoutError as PlaywrightTimeout
Confidence: 92% confidence
Finding: os.system(f"{sys.executable} -m pip install playwright -q")

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: except ImportError: print("Installing playwright...") os.system(f"{sys.executable} -m pip install playwright -q") os.system(f"{sys.executable} -m playwright install chromium -q") from playwright.sync_api import sync_playwright, TimeoutError as PlaywrightTimeout # Re-export for tool sso.py files that need it
Confidence: 91% confidence
Finding: os.system(f"{sys.executable} -m playwright install chromium -q")

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: from playwright.sync_api import sync_playwright, TimeoutError as PlaywrightTimeout except ImportError: print("Installing playwright...") os.system(f"{sys.executable} -m pip install playwright -q") os.system(f"{sys.executable} -m playwright install chromium -q") from playwright.sync_api import sync_playwright, TimeoutError as PlaywrightTimeout
Confidence: 91% confidence
Finding: os.system(f"{sys.executable} -m pip install playwright -q")

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: except ImportError: print("Installing playwright...") os.system(f"{sys.executable} -m pip install playwright -q") os.system(f"{sys.executable} -m playwright install chromium -q") from playwright.sync_api import sync_playwright, TimeoutError as PlaywrightTimeout
Confidence: 91% confidence
Finding: os.system(f"{sys.executable} -m playwright install chromium -q")

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The documentation repeatedly instructs users to disable TLS certificate validation with curl `-k`, and the Python helper explicitly sets `check_hostname = False` and `verify_mode = ssl.CERT_NONE`. This makes bearer-token authenticated requests vulnerable to man-in-the-middle interception or response tampering, which is especially dangerous on internal enterprise networks where these credentials can grant broad repository read access.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill description frames the connection as primarily for listing, searching, reading, and exporting Google Drive data, but the quick-start example also exposes spreadsheet write operations. This mismatch can mislead downstream agents or users into invoking state-changing actions on remote documents without realizing the tool is not read-only, increasing the risk of unintended modification of user data.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The Python helper explicitly disables TLS hostname verification and certificate validation, which makes Basic-auth Jenkins credentials and all API responses vulnerable to man-in-the-middle interception or tampering. In this context the code is presented as a reusable connection example, so readers may copy it directly into production automation and unknowingly remove a core transport security control.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The verification example explicitly disables both TLS certificate validation and hostname verification before sending Jira credentials over HTTPS. This makes the connection check vulnerable to man-in-the-middle interception, allowing an attacker on the network or with a rogue proxy/certificate to capture the Basic-auth credential pair and tamper with responses.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The document explicitly instructs users to run a script that captures a live Outlook access token from browser traffic and stores it in an environment file. Even if framed as read-only, this is credential harvesting of a bearer token for a personal mailbox, and the guidance normalizes extraction and reuse of sensitive auth material without clear authorization, consent, or safeguards.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The guide explicitly instructs users to capture live Microsoft bearer tokens from browser/network activity and persist them in a local .env file. This creates a credential-harvesting and insecure secret-storage workflow that can expose mailbox and profile access if the file, process output, or host is compromised; the lack of a clearly bounded business purpose makes this more dangerous, not less.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The personal-account flow captures an Outlook access token from an active browser session and writes it to .env, effectively extracting reusable credentials from an authenticated session. That exposes sensitive email access to any local compromise, accidental commit, or reuse by unrelated tooling, and is especially risky because the skill has no declared narrow purpose justifying such access.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill explicitly relies on extracting and using Slack user-session credentials (`xoxc` token and `d` cookie) obtained through SSO, which bypasses normal app-based OAuth controls and grants broad access as the user. That creates a credential-access capability far beyond a narrowly scoped integration and increases the risk of account misuse, data exfiltration, and policy bypass if the environment or skill is compromised.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The auth setup automates browser-based SSO and persists Slack session secrets into `.env`, turning ephemeral authenticated browser state into reusable credentials on disk. This materially lowers the barrier to credential theft and lateral misuse because any local process, log leak, or repo mistake can expose full user-session access.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The setup explicitly instructs users to capture a Slack browser session token (`xoxc`) and session cookie (`d`) and persist them in `.env`, which are highly sensitive session credentials that can grant access to the user's Slack account and workspace data. Framing these as the normal authentication method, with 'no admin approval needed' and 'everything else is automated,' increases suspicion because it encourages credential harvesting and durable local storage of browser-derived secrets beyond a narrowly justified setup flow.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The verification code disables TLS certificate validation by setting `check_hostname = False` and `verify_mode = ssl.CERT_NONE` before contacting `https://slack.com/api/auth.test`. This makes the credential check vulnerable to man-in-the-middle interception or spoofing, especially dangerous because the request carries both the bearer token and session cookie.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: A shared browser utility is expected to provide helper functions, not mutate the host by installing packages and browser binaries. This hidden capability makes the file more dangerous in context because any importer can unexpectedly trigger privileged environment changes and network-dependent setup.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The helper disables both certificate verification and hostname checking for HTTPS requests while presenting itself as a normal GET wrapper. This permits man-in-the-middle interception and tampering of requests and responses, which is especially risky if these helpers are used to validate authenticated sessions or send sensitive headers.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: This no-redirect helper also disables HTTPS validation, but its documentation only mentions redirect handling. The mismatch makes misuse more likely and enables interception or spoofing of responses during session-state checks, potentially leaking or misvalidating authentication data.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script's stated purpose is to open SSO flows and harvest reusable authentication material for multiple unrelated services, including Slack, Google Drive, Teams, Outlook, and Grafana. Consolidating and persisting cross-service session secrets is characteristic of credential collection tooling and creates broad account compromise potential far beyond normal automation needs.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code explicitly scrapes tokens from localStorage and cookies for Slack, then uses similar interception patterns elsewhere to capture authenticated session material from browser context and network traffic. This exceeds ordinary login automation and directly extracts bearer/session secrets that can be replayed outside the browser, enabling account takeover and data access.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script advertises persistent storage of captured credentials for later reuse across several services, including writing tokens to .env files and auth JSON on disk. Persisting harvested session material magnifies risk by turning ephemeral browser sessions into reusable local secrets vulnerable to theft, misuse, and lateral movement.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill explicitly instructs storing live credentials in a root-level `.env` file and gives examples of token values and generation locations, but it does not include clear handling guidance such as keeping the file out of version control, restricting file permissions, avoiding sharing outputs, or redacting secrets from examples. In a workflow that also asks the agent to run commands and capture output, this increases the risk of accidental secret disclosure through commits, logs, screenshots, or copied snippets.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The setup guide explicitly directs the agent to place credentials in a local `.env` file and to run SSO/token-capture flows, but it provides no warning that these values are sensitive secrets that may persist on disk or expose browser/session tokens. In a security-sensitive setup workflow, omission of secret-handling guidance materially increases the chance of credential leakage, accidental commit, or unsafe local storage.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The prerequisites tell the user to create `.env` specifically for connection values but do not warn that the file will contain sensitive credentials. This omission makes accidental exposure more likely, especially in repositories where `.env` may be inspected, backed up, or committed if ignore rules are absent or misconfigured.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The instructions create and immediately load `verified_connections.md`, which acts as a capability index of the user's connected systems, but they do not warn that this file reveals internal tool inventory and access profile. While it may not hold raw credentials, it is still sensitive operational metadata that could aid targeting or lateral movement if exposed.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal